TL;DR: CISA released Cross-Sector Cybersecurity Performance Goals (CPG) version 2.0 in late 2025, with an updated CSET Assessment Module landing in Q1 2026. CPG 2.0 is a free, prioritized list of high-impact security controls explicitly designed for small and medium businesses. For NC manufacturers, construction firms, and professional services companies that have never run a formal cybersecurity assessment, CPG 2.0 is the most accessible starting point on the market, and it now maps cleanly to NIST CSF 2.0, cyber insurance underwriting questions, and the controls auditors actually ask about.
Key takeaway: According to CISA's announcement of CPG 2.0, the goals are voluntary, no-cost, and explicitly intended to help small and medium organizations "kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes." Most NC small businesses can complete an initial self-assessment in under 8 hours.
Want CPG 2.0 implemented in your business? Preferred Data Corporation has been guiding North Carolina businesses through cybersecurity frameworks since 1987. BBB A+ rated. Call (336) 886-3282 or request a CPG 2.0 readiness assessment.
What is CISA CPG 2.0 and why does it matter for NC small businesses?
CISA CPG 2.0 is the second version of the Cross-Sector Cybersecurity Performance Goals, a free, voluntary set of prioritized security controls published by the U.S. Cybersecurity and Infrastructure Security Agency. According to the CISA CPG 2.0 program page, the goals consolidate previously separate IT and Operational Technology (OT) controls into universal goals, add a new "Govern" function, and incorporate three years of operational data from CISA's incident response engagements.
For NC small businesses, CPG 2.0 matters because:
- It is free. CISA publishes the framework, the implementation checklist, and the CSET self-assessment tool at no cost.
- It is prioritized. Each goal carries a Cost, Impact, and Ease of Implementation rating, so resource-constrained businesses can sequence work by ROI.
- It maps to NIST CSF 2.0. CPG 2.0 aligns to the six CSF Functions (Govern, Identify, Protect, Detect, Respond, Recover), eliminating duplicate work for businesses pursuing CSF, CMMC, or HIPAA alignment.
- It is what insurers and auditors ask about. Cyber insurance underwriters increasingly reference CPG-aligned controls in their questionnaires.
The updated CSET Assessment Module for CPG 2.0 is expected to be available in Q1 2026, giving small businesses a guided self-assessment they can complete without consulting fees.
What changed between CPG 1.0 and CPG 2.0?
According to CISA's announcement and CPG 2.0 program documentation, four major changes shape the 2.0 release:
1. A new Govern function
CPG 1.0 was control-focused; CPG 2.0 adds a Govern function that addresses leadership accountability, risk tolerance, third-party risk management, and policy. This is the function most NC small businesses are weakest on, because owners often equate cybersecurity with technology rather than governance.
2. IT and OT goals consolidated
Manufacturers running plant-floor systems no longer have to navigate two parallel goal sets. CPG 2.0 universal goals apply to both office IT and operational technology environments, with implementation nuance noted where it matters. This is a significant simplification for NC manufacturers with hybrid IT/OT environments.
3. Refined Cost, Impact, and Ease of Implementation ratings
Each goal is rated on three dimensions so a business with limited budget can identify high-impact, low-cost actions first. The ratings now include explicit definitions and logic so two assessors arrive at consistent scores.
4. Aligned to NIST CSF 2.0 and emerging threats
CPG 2.0 explicitly maps to NIST CSF 2.0 categories and subcategories, simplifying multi-framework programs. It also incorporates lessons from supply chain attacks, ransomware, and identity-centric threats CISA has observed since 2022.
What are the core CPG 2.0 domains for NC small businesses?
CPG 2.0 covers seven core domains. The table below pairs each domain with the most common gaps PDC sees in NC small businesses and the typical first action.
| CPG 2.0 Domain | Common NC SMB Gap | Highest-Impact First Action |
|---|---|---|
| Account Security | Shared admin accounts, no MFA on email | Enforce phishing-resistant MFA on admin and finance accounts |
| Device Security | No EDR, mixed personal devices | Deploy managed EDR on every workstation and server |
| Data Protection | No off-site immutable backups | Implement 3-2-1 backup with immutable copy |
| Governance | No written cybersecurity policy or named owner | Designate a cybersecurity owner; document acceptable use |
| Vulnerability Management | Patching by exception, no inventory | Implement automated patching for OS and key apps |
| Supply Chain Risk | No vendor inventory or due diligence | Build a vendor inventory and tier by data sensitivity |
| Incident Response & Recovery | No written plan, no tabletop test | Write a 5-page IR plan and tabletop it once a year |
How does a NC small business implement CPG 2.0 in 90 days?
A NC small business implements CPG 2.0 in 90 days by following a three-phase plan: assess, prioritize, and remediate. This is the cadence PDC uses with NC manufacturers, construction firms, and professional services companies, and it consistently delivers measurable maturity gains within a single quarter.
Phase 1 (Days 1-30): Assess
- Download the CPG 2.0 Checklist from CISA
- Walk through every goal with the cybersecurity owner and IT lead
- Score each goal as Implemented, Partially Implemented, or Not Implemented
- Identify the top 10 highest-impact gaps using the CPG Cost/Impact/Ease ratings
The assessment is typically a 4-to-8-hour conversation for a 25-to-100-employee NC business. If you do not have an in-house cybersecurity owner, this is where a managed cybersecurity partner adds the most value.
Phase 2 (Days 31-60): Prioritize and budget
- Group remediations into Quick Wins (low cost, high impact, can complete in <30 days)
- Group remaining items into 90-day and 12-month projects
- Estimate cost: licensing, tooling, professional services, training
- Secure budget and owner buy-in
- Sequence work to address account security and backups first
Phase 3 (Days 61-90): Remediate the top five gaps
- Roll out phishing-resistant MFA on admin and finance accounts
- Deploy managed EDR on all endpoints
- Implement immutable, off-site backups with monthly restore tests
- Designate a cybersecurity owner and publish a one-page acceptable use policy
- Run a 90-minute tabletop incident response exercise
Within 90 days, most NC small businesses move from "Not Implemented" to "Partially Implemented" on the highest-impact CPG 2.0 goals. The remaining work becomes a 12-month roadmap with quarterly reviews.
Learn more about PDC's managed cybersecurity services.
How does CPG 2.0 align with other frameworks?
CPG 2.0 aligns with NIST CSF 2.0 directly, and indirectly with NIST 800-171, CMMC, HIPAA Security Rule, PCI DSS, and most state privacy laws. The following table shows the practical alignment for NC small businesses pursuing multiple frameworks at once.
| Framework | Relationship to CPG 2.0 | Why It Matters for NC SMBs |
|---|---|---|
| NIST CSF 2.0 | Direct mapping (Functions, Categories, Subcategories) | Reduces duplicate work across compliance programs |
| NIST 800-171 / CMMC | CPG 2.0 is a subset; NIST 800-171 adds CUI-specific controls | DoD prime contractors and subs need both |
| HIPAA Security Rule | CPG 2.0 satisfies most administrative and technical safeguards | NC healthcare practices benefit from CPG-first approach |
| PCI DSS | CPG 2.0 addresses ~70% of PCI requirements for SMB merchants | NC retailers and restaurants reduce PCI scope and cost |
| Cyber insurance | CPG-aligned controls match most underwriting questions | Better insurance pricing and renewal terms |
According to Tandem's CPG 2.0 alignment analysis, the strongest argument for starting with CPG 2.0 is that no other free, prioritized framework spans IT, OT, and Govern functions with this level of clarity for SMBs.
Why is the new Govern function critical for NC small businesses?
The new Govern function is critical for NC small businesses because it forces a conversation many owners have avoided: who owns cybersecurity, what risks the business will accept, and how vendors are managed. Without governance, even well-implemented technical controls degrade within a year.
Govern function priorities for a typical NC small business:
1. Named cybersecurity owner
One person, named in writing, accountable for the cybersecurity program. This person does not need to be a CISO; a controller, COO, or IT lead can hold the role with the right authority and support.
2. Written policy set
A short, readable acceptable use policy, a password and MFA policy, an incident response plan, and a vendor management policy. Five to fifteen pages total, not 200.
3. Risk register
A living document listing the top cybersecurity risks, their likelihood, their potential impact, and the mitigation plan. Reviewed quarterly.
4. Third-party risk management
Vendor inventory, tiered due diligence, contract terms, and annual revalidation. According to CISA's CPG 2.0 announcement, supply chain risk is one of the most expanded domains in CPG 2.0.
5. Board-level reporting
A quarterly one-page status report to ownership covering the top risks, control maturity, and incidents. For closely held NC businesses, this is often a 30-minute conversation between the owner and the cybersecurity owner.
Key takeaway: CPG 2.0 finally treats cybersecurity governance as a peer to technology controls. NC small businesses that name an owner, write down their policies, and review them quarterly will see measurable improvement even before they buy a new tool.
What free tools does CISA provide for CPG 2.0 implementation?
CISA provides several free tools that NC small businesses can use to implement CPG 2.0 without consulting fees:
- CPG 2.0 Report (PDF): The full framework with implementation guidance, available on the CISA CPG 2.0 page
- CPG 2.0 Checklist: A printable assessment worksheet for self-evaluation
- CSET Assessment Module (Q1 2026): Guided self-assessment software with reporting
- CISA Vulnerability Scanning: Free external vulnerability scans
- CISA Web Application Scanning: Free scans of internet-facing applications
- CISA Cyber Hygiene Reports: Monthly reports on internet-exposed services
- CISA Tabletop Exercises Library: Free incident response exercise scenarios
According to CISA's small and medium business guidance, these tools are available to any U.S. business without registration cost. PDC frequently combines these free tools with managed cybersecurity engagements to maximize value for NC small business clients.
What should NC small business owners do this week?
NC small business owners should download the CPG 2.0 framework and complete a one-day self-assessment within the next 30 days, before cyber insurance renewal, the next vendor questionnaire, or the next audit.
Action checklist:
- [ ] Download the CPG 2.0 Report and Checklist from CISA
- [ ] Schedule a 4-hour internal assessment with the owner, IT lead, and operations lead
- [ ] Score each goal as Implemented, Partially Implemented, or Not Implemented
- [ ] Identify the top 5 Quick Wins (high impact, low cost, fast to implement)
- [ ] Name a cybersecurity owner and announce it internally
- [ ] Subscribe to CISA's free vulnerability scanning
- [ ] Plan a 90-day remediation roadmap for the top five gaps
Need help? Preferred Data Corporation guides NC manufacturers, construction firms, and professional services companies through CPG 2.0 self-assessment, gap remediation, and ongoing program management. Call (336) 886-3282 or contact us.
Key takeaway: CPG 2.0 is the closest the federal government has come to giving NC small businesses a free, prioritized cybersecurity roadmap. The businesses that do the work in 2026 will see measurable maturity gains, lower cyber insurance premiums, and easier customer and vendor security questionnaires.
Why partner with Preferred Data Corporation on CPG 2.0?
PDC has been protecting North Carolina businesses since 1987 and has guided manufacturers, construction firms, healthcare practices, and professional services companies through every iteration of the federal cybersecurity frameworks. Our CPG 2.0 engagements include:
- CPG 2.0 self-assessment facilitation
- NIST CSF 2.0 mapping and gap analysis
- Quick-Win remediation in the first 90 days
- 12-month maturity roadmap with quarterly reviews
- Managed cybersecurity services aligned to CPG 2.0 controls
- Cyber insurance renewal preparation
- On-site response within 200 miles of High Point
We meet NC small businesses where they are, then guide them to where the framework expects them to be.
About Preferred Data Corporation
Preferred Data Corporation (PDC) is a managed IT and cybersecurity provider headquartered at 1208 Eastchester Drive, Suite 131, High Point, NC 27265. Founded in 1987, PDC serves NC manufacturers, construction firms, and professional services companies across the Piedmont Triad, Research Triangle, and Charlotte metros.
Get a CPG 2.0 readiness assessment:
- Call <a href="tel:3368863282">(336) 886-3282</a>
- Visit <a href="https://preferreddata.com/contact" target="_blank" rel="noopener noreferrer">preferreddata.com/contact</a>
- Email <a href="mailto:[email protected]">[email protected]</a>
Frequently Asked Questions
Is CPG 2.0 mandatory for North Carolina small businesses?
No. CPG 2.0 is voluntary, free, and intended as guidance. However, the controls in CPG 2.0 are increasingly referenced by cyber insurance underwriters, prime contractor security questionnaires, and state procurement processes. Voluntary today, expected tomorrow.
How does CPG 2.0 differ from NIST CSF 2.0?
CPG 2.0 is a prioritized, opinionated subset of CSF 2.0 controls aimed at small and medium organizations. CSF 2.0 is comprehensive and flexible; CPG 2.0 is shorter and tells you what to do first. The two frameworks map directly to each other, so work done in CPG 2.0 counts toward CSF 2.0 maturity.
What does CPG 2.0 cost a small business to implement?
The framework itself is free. Implementation cost depends on the gaps revealed. According to PDC's experience with NC clients, a typical 25-to-100-employee business spends $15,000 to $60,000 in the first year on tooling and managed services to close the highest-priority gaps, with ongoing costs absorbed into a managed cybersecurity retainer.
Can a NC small business complete CPG 2.0 self-assessment without hiring a consultant?
Yes. CISA publishes the framework, checklist, and (in Q1 2026) the CSET Assessment Module specifically so small businesses can self-assess. Many NC small businesses complete a useful first pass internally, then engage a managed cybersecurity partner only for remediation and ongoing monitoring.
Does CPG 2.0 satisfy cyber insurance requirements?
CPG 2.0 covers the majority of the controls cyber insurance underwriters ask about, including MFA, EDR, backup testing, incident response planning, and third-party risk management. Implementing CPG 2.0 will not guarantee lower premiums, but it dramatically improves the documentation a business can present at renewal, which often results in better terms.
Related Resources
- Cybersecurity Services for NC Businesses
- Managed IT Services for Small Businesses
- NIST CSF 2.0 and AI Threats: Business Compliance
- NIST 800-171 Implementation for NC Small Business
- Cyber Insurance Premium Hike 2026: MFA and EDR Requirements
- Zero Trust Security for Small Business
- IT Services in High Point, NC
- IT Services in Greensboro, NC
- IT Services in Charlotte, NC
- IT Services in Raleigh, NC