CISA's Cybersecurity Performance Goals 2.0: What Boards Need to Know About the New 'Govern' Function

Cybersecurity just became a boardroom performance metric. With CISA's release of Cybersecurity Performance Goals 2.0 in December 2025, the federal government has drawn a clear line:

the most significant change in CPG 2.0 is the introduction of the GOVERN function, placing cybersecurity squarely in the boardroom.

This is not a subtle update to a technical checklist. It is a structural realignment that makes executive accountability for cyber risk explicit, measurable, and auditable.

For boards that have treated cybersecurity as "something IT handles," the window for that posture has closed.

CPG 2.0 includes a new component focused on the essential role of governance in managing cybersecurity. It emphasizes accountability, risk management, and strategic integration of cybersecurity into day-to-day operations, reinforcing the principle that effective governance is the cornerstone of a resilient cyber posture.

With CIRCIA enforcement arriving in May 2026, SEC examination priorities targeting cybersecurity governance, and cyber insurers tightening underwriting standards, this convergence demands immediate board attention.

The financial stakes are real.

According to the IBM Cost of a Data Breach Report 2025, the average cost of a data breach for U.S. companies jumped 9% to an all-time high of $10.22 million in 2025, as the global average cost fell 9% to $4.44 million.

Boards that fail to govern cyber risk proactively are not just accepting operational risk; they are accepting personal liability exposure.

What Changed in CPG 2.0, and Why It Matters

CISA released version 2.0 of its Cross-Sector Cybersecurity Performance Goals, offering organizations a more robust framework for integrating cybersecurity into daily operations. The updated CPGs align with NIST CSF 2.0, incorporate three years of operational insights, and address emerging threats through data-driven, actionable guidance.

The most consequential change is the addition of a sixth function.

A new "Govern" function underscores the critical role of organizational leadership in cybersecurity, regrouping existing goals and introducing two new ones focused on risk management strategy, policy development, and executive accountability.

Here is what boards need to understand about the structural shift:

CPG 2.0 includes four new goals to address emerging threats and gaps, including "risks from third-party providers with deep system access" and "zero-trust principles to mitigate lateral movement."

The CPG 2.0 Report now includes improved Cost, Impact, and Ease of Implementation ratings for each goal,

giving boards a decision framework they can actually use.

The Regulatory Convergence: Three Forces Boards Cannot Ignore

1. CIRCIA Enforcement (May 2026)

CISA is now set to finalize regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) by May 2026.

Under CIRCIA, critical infrastructure operators must notify CISA within 72 hours of experiencing a significant cyber incident, and within 24 hours if a ransomware payment is made.

The enforcement implications are severe.

The reporting and retention requirements outlined within the notice are the most sweeping to date, posing harsh penalties for noncompliance. The notice makes clear that the federal government intends to impose criminal and civil liability on individuals, including corporate employees reporting on behalf of a covered entity, who interfere with CISA's ability to obtain accurate information.

CISA has estimated that the rule would apply to more than 300,000 entities.

2. SEC Examination Priorities for 2026

The SEC's Division of Examinations identified cybersecurity, particularly defenses and incident response plans, as a "perennial examination priority" in its 2026 Exam Priorities.

Reviews will assess cybersecurity governance, identity theft prevention controls, vendor oversight, and preparedness for sophisticated cyber threats, including AI-driven intrusions.

Two filing cycles into the SEC cyber disclosure rules, governance has shifted from informal updates to structured oversight that investors can track across Forms 8-K and 10-K. Boards now expect consistent evidence of cyber risk management tied to strategy, operational resilience, and disclosure readiness.

3. Cyber Insurance Market Tightening

The insurance market is reinforcing these governance requirements through underwriting.

The message from insurers is clear: the maturity of your identity security controls now directly influences your coverage limits and premiums.

Organizations leveraging AI-powered defense tools report tangible insurance benefits. More than four in five respondents report that insurers offered premium reductions or credits for using AI in defense.

Meanwhile,

there was a significant increase in average and median ransomware payments in the second quarter of 2025. According to Coveware, average ransom payments increased 104% between Q1 and Q2 of 2025, while median ransom payments rose 100% during the same period. Publicly disclosed ransomware attacks reached new heights in Q2 2025, with a total of 276 incidents, representing a 63% increase compared to the same period in 2024.

**Board Brief:** CPG 2.0's Govern function, CIRCIA's reporting mandates, SEC disclosure expectations, and insurer underwriting requirements are converging on a single demand: documented, executive-level accountability for cybersecurity risk management. This is no longer a compliance exercise. It is a fiduciary obligation.

The Threat Landscape Validates the Urgency

KELA disclosed that 4,701 ransomware incidents were recorded globally between January and September 2025, up from 3,219 during the same period in 2024. Of these, 2,332 attacks, or 50%, targeted critical infrastructure sectors, marking a 34% year-over-year increase in attacks on essential industries.

97% of AI-related breaches occurred in organizations without proper AI access controls. 63% of organizations lack AI governance policies. Shadow AI, the unsanctioned use of AI by employees, was a factor in 20% of breaches, adding $670,000 to average costs.

These numbers confirm what CPG 2.0 codifies: ungoverned environments get breached more often, and they pay more when they do.

Aligning CPG 2.0 with NIST CSF 2.0: The Govern Function Explained

The "Govern" function in NIST CSF 2.0 establishes and monitors an organization's cybersecurity risk management strategy, expectations, and policy. As one expert notes, "The function is not merely an add-on but a fundamental shift integrating cybersecurity with enterprise risk management."

In NIST CSF 2.0, "Govern" is a standalone function. In the official diagram, "Govern" is placed in the center of the wheel, touching and influencing all other functions (Identify, Protect, Detect, Respond, Recover).

CISA's CPG 2.0 translates this architecture into specific, attestable goals that organizations can measure against.

For boards, the Govern function answers three critical questions:

Who owns cyber risk?

The 'Govern' function involves establishing clear structures and processes to manage risks and ensure accountability across the organization. Roles, responsibilities, and authorities related to the organization's cybersecurity program must be well defined, communicated, and enforced. This ensures alignment within the organization and with external partners.

Are our policies current and enforced?

Policies for managing the cybersecurity program are reviewed at least annually, updated when changes are applied, communicated, and enforced to reflect changes in requirements, risks, threats, technology, and organizational mission.

Is cybersecurity integrated into business strategy?

CSF 2.0 emphasizes cybersecurity as a strategic business function, not just an IT operational issue. It elevates accountability, supports harmonization with other standards and enables a repeatable approach to cyber resilience.

Board Readiness Checklist: 10 Actions Before May 2026

Use this checklist to assess your organization's alignment with CPG 2.0's Govern function and the approaching CIRCIA deadline:

[ ] Assign explicit cyber risk ownership to a named executive with board reporting authority

[ ] Establish a board-level cyber risk committee (or formalize the charter of an existing risk/audit committee to include cyber oversight)

[ ] Map your current security posture against CPG 2.0 goals using CISA's updated CSET assessment module

[ ] Review and update cybersecurity policies annually, ensuring board approval and organization-wide communication

[ ] Conduct a CIRCIA readiness assessment: Can your team detect, validate, and report a substantial incident within 72 hours?

[ ] Inventory third-party and MSP dependencies to address CPG 2.0's new managed service provider risk goal (1.E)

[ ] Align SEC disclosure processes with your incident response plan, ensuring materiality determination workflows are documented

[ ] Request a cyber insurance coverage review to confirm your governance posture meets current underwriting requirements

[ ] Implement quarterly board reporting with metrics aligned to NIST CSF 2.0's six functions

[ ] Run a tabletop exercise that includes C-suite and board members, simulating both incident response and regulatory reporting obligations

Emerging Trend: AI Governance as the Next Board Imperative

The SEC's 2026 examination priorities reveal a significant shift: concerns about cybersecurity and AI have displaced cryptocurrency as the industry's dominant risk topic.

A staggering 97% of breached organizations that experienced an AI-related security incident say they lacked proper AI access controls. Additionally, 63% revealed they have no AI governance policies in place.

CPG 2.0's Govern function provides a natural extension for AI governance. Organizations that build their governance structure today will find it straightforward to extend those accountability mechanisms to AI risk as regulations mature.

Emerging Trend: From Voluntary to Expected

While CISA explicitly states that CPG 2.0 is voluntary, the practical reality tells a different story.

Public companies should consider reviewing their cybersecurity compliance and controls, incident response procedures and maintaining effective internal and disclosure controls related to cybersecurity incidents. Entities that establish good governance procedures and follow them in the wake of an incident are less likely to be second-guessed.

When insurers reference CPG alignment in underwriting questionnaires, when SEC examiners assess governance structures, and when CIRCIA requires documented incident communication procedures, "voluntary" becomes the de facto standard of care.

How I Help

With 20+ years of experience advising boards and C-suite executives on cybersecurity governance, I help organizations navigate exactly this type of regulatory convergence.

Virtual CISO Services: I embed as your fractional CISO, building the governance structures CPG 2.0 demands, from policy frameworks and risk appetite statements to board reporting cadences that satisfy SEC and insurer requirements.

Board Advisory: I translate technical requirements into business language your board can act on. This includes tabletop exercises, quarterly board briefings, and readiness assessments aligned to NIST CSF 2.0 and CPG 2.0.

Compliance Program Development: I design compliance architectures that map CPG 2.0, CIRCIA, SEC disclosure rules, and cyber insurance requirements into a single, efficient program, eliminating redundancy and audit fatigue.

AI Governance: I help organizations extend their cybersecurity governance frameworks to cover AI risk, addressing the shadow AI gap that IBM's research shows costs organizations $670,000 more per breach.

Security Architecture Review: I assess your current technical controls against CPG 2.0 goals and build a prioritized remediation roadmap with cost, impact, and implementation ratings your CFO will appreciate.

The Govern function in CPG 2.0 is not a suggestion. It is the federal government's clearest statement yet that cybersecurity is a leadership discipline. The organizations that treat it as such will outperform their peers in resilience, insurability, and regulatory standing.

Ready to align your board's cyber oversight with CPG 2.0? Contact me to schedule a board readiness assessment.