The Cybersecurity & Infrastructure Security Agency (CISA) recently released an updated version of its Cross-Sector Cybersecurity Performance Goals (CPG 2.0), marking a significant shift toward a more resilient national cyber posture. By aligning these goals with the NIST Cybersecurity Framework 2.0, CISA is providing critical infrastructure organizations such as energy, financial services, IT, healthcare, government and others with a streamlined, outcome-driven baseline to manage increasingly evolving AI-driven cyber threats.
At Yubico, we see this as a critical step in moving the industry toward higher assurance levels and away from the legacy security vulnerabilities that continue to plague modern enterprises, critical infrastructure and governments. The updated CPGs emphasize that effective governance is the cornerstone of security – which begins with a fundamental shift in how organizations handle credentials.
CISA’s recommended actions for implementing MFA (section 3.F) are clear: organizations should utilize the strongest authentication method available. Phishing-resistant MFA (FIDO/WebAuthn or PKI-based) sits at the top of the hierarchy, including YubiKeys – enabling organizations to control private keys with hardware-backed security keys that enable highest-assurance passkeys.
Let’s break down some other key points across the new goals:
- Mitigate Known Vulnerabilities (2.B)
Phishing remains one of the most common and impactful threats facing critical infrastructure today, now exacerbated by AI. While often overlooked in favor of complex technical exploits, simple phishing scams are the primary entry point for adversaries.
To counter this, organizations must adopt phishing-resistant MFA, which binds the authentication ceremony to known, registered web domains.
- Changing Default Passwords (3.A) and Unique Credentials (3.C)
Relying on default passwords is a critical risk; the new guidance suggests it is often better to disable default accounts entirely to prevent unauthorized access.
CISA also highlights the necessity of discrete credentials for all accounts and contexts – ensuring that user and administrative roles remain strictly separated with unique, hardware-backed protections. A YuibiKey allows you to securely carry multiple credentials on one authenticator.
- Managing Third-Party and MSP Risks (1.E)
A major addition to CPG 2.0 is the expanded focus on third-party risk, specifically regarding Managed Service Providers (MSPs). Because MSPs often have privileged access to multiple environments, they are high-value targets.
Organizations should demand that their MSPs use FIDO-based authentication to ensure that a compromise at the provider level does not become a catastrophic breach for the client.
Staying ahead of evolving threats with the phishing-resistance gold standard
While recent NIST guidance notes that synced passkeys can meet Authentication Assurance Level 2 (AAL2), they involve security tradeoffs because the private key is synced to the cloud. For critical infrastructure and high-risk enterprise use cases, controlling the private key is paramount. The private key is the “crown jewel” of authentication; whoever possesses it has access to everything it protects.
Hardware-backed, device-bound passkeys – such as those found on the YubiKey – provide AAL3 protection. Because passkeys on YubiKeys are stored in dedicated hardware and cannot be copied to a sync fabric, they offer the highest level of verifiable user assurance and meet the most stringent requirements of CPG 2.0.
Although the CPGs are non-binding, they are increasingly factored into regulatory actions and enforcement for critical infrastructure. By adopting these goals now – particularly by demanding FIDO-based security from partners and implementing hardware-backed passkeys – organizations can build a foundational level of cybersecurity that is measurable, repeatable, and resilient against modern and evolving AI threats.
If cybersecurity is a building, CISA’s CPG 2.0 is the reinforced blueprint – and hardware-backed FIDO authentication is the unbreakable lock on the front door.
If you have questions or are interested in bringing the gold standard of phishing-resistant security YubiKeys to your organization, reach out to our team. For more information on how to get started using and implementing device-bound passkeys for your organization, read our whitepaper here.
