CISA's new Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 represents a practical step forward for organizations seeking a clearer baseline for "what good looks like" in cybersecurity. Released in December 2025, the document is designed to be broadly applicable across critical infrastructure and other sectors, helping teams translate high-level security intent into concrete, measurable outcomes.
One of the most important—and often overlooked—elements of the CPG 2.0 framework appears in its implementation guidance: the explicit recommendation to use cost-benefit analysis (CBA) to justify cybersecurity investments. On page 11 of the CPG 2.0 report, CISA points to a CBA approach that involves comparing quantified benefits and costs, encouraging organizations to express benefits in financial terms—including impacts like productivity or revenue loss from downtime, response costs, and replacement costs.
"Organizations are encouraged to use cost-benefit analysis that involves comparing quantified benefits and costs... Benefits can be expressed in financial terms including productivity or revenue loss from downtime, response costs, and replacement costs."
— CISA CPG 2.0 Report, Page 11
That guidance is directionally correct. But it also exposes a common challenge: many organizations cannot consistently "quantify benefits" because they have not built the discipline of cyber risk quantification (CRQ).
Cost-benefit analysis is straightforward in principle: compare the cost of a control (technology, labor, maintenance, operational friction) to the benefit it produces (risk reduction, avoided losses, avoided downtime, avoided recovery costs). The difficulty is that cyber outcomes are probabilistic and scenario-driven. Without a consistent method to quantify risk, cost-benefit analysis becomes guesswork—or worse, a narrative exercise driven by whichever stakeholder argues most persuasively.
This is where cyber risk quantification becomes essential. If you want to perform the cost-benefit analysis that CPG 2.0 describes—"quantified benefits and costs"—you need a systematic way to estimate:
CRQ provides the analytical structure to do that credibly, repeatedly, and in a way that stands up to scrutiny from finance leaders, executives, and boards. Tools like DeNexus' DeRISK Cyber Risk Quantification (CRQ) platform help organizations translate CPG objectives into decision-grade financial estimates that bridge the gap between security operations and business leadership.
CPG 2.0's recommendation to express benefits in financial terms is not merely an accounting preference—it's a governance accelerator. When benefits are expressed as dollars, organizations can make cybersecurity decisions using the same lens they use for other capital and operational investments.
The CPG 2.0 paper points to categories that are immediately business-relevant, such as:
These are exactly the kinds of loss components that CRQ methodologies can estimate. Framing cyber outcomes this way delivers several strategic advantages:
CPG 2.0 can help organizations standardize security outcomes and establish cross-sector baseline expectations. CRQ helps determine which outcomes to prioritize first—and how much to invest. Together, they create a pragmatic, economically defensible operating model:
A practical approach is to quantify a small set of high-impact scenarios that CPG 2.0 controls are designed to reduce. For example:
For each scenario, a quantification exercise can estimate loss ranges and the effect of proposed controls, producing the inputs for the very cost-benefit analysis the CPG 2.0 paper recommends. Solutions like DeNexus' DeRISK Quantified Vulnerability Management (QVM) enable organizations to move beyond traditional CVSS-based prioritization and focus remediation efforts on vulnerabilities that pose the greatest quantified financial risk.
If your organization is using CPG 2.0 as a cybersecurity roadmap, consider building a lightweight CRQ capability in parallel—enough to support defensible cost-benefit decisions without requiring perfect data. Start small:
This does not require perfect data or sophisticated modeling infrastructure. It requires consistency, transparency of assumptions, and iterative refinement. The payoff is that CPG adoption becomes not just "best practice," but economically justified practice that can compete for funding alongside other business initiatives.
CPG 2.0 makes an important point on page 11 of the official report: cybersecurity investments should be justified through quantified costs and benefits and articulated in financial terms. The most direct way to operationalize that recommendation is to adopt cyber risk quantification as a companion discipline to CPG implementation.
Organizations that do so will not only implement CPGs more effectively—they will fund them more reliably, defend them more convincingly to boards and executives, and prioritize them more intelligently based on business impact. In an environment where cybersecurity budgets face increasing scrutiny, the ability to translate CPG objectives into quantified financial outcomes is no longer optional—it's essential for sustainable security investment.
Ready to transform CPG 2.0 from framework to fundable initiative? Explore how DeNexus' DeRISK Cyber Risk Quantification platform helps organizations quantify cyber risk in the financial terms that CPG 2.0 recommends, enabling defensible cost-benefit analysis and executive-level decision support.
Resources: