Japan’s Information-technology Promotion Agency (IPA) has published a Japanese translation of the U.S. Cybersecurity and Infrastructure Security Agency’s Cross-Sector Cybersecurity Performance Goals Version 2.0, turning a U.S. baseline document into a local reference point for Japanese critical infrastructure operators.
The IPA Security Center released the translation on April 8, 2026, with CISA’s approval.
CISA, part of the U.S. Department of Homeland Security, issued the updated goals in December 2025.
The document is aimed at helping domestic infrastructure operators strengthen basic cybersecurity practices across information technology and operational technology environments.
A Minimum-Control Baseline, Not A Maturity Model
The Cross-Sector Cybersecurity Performance Goals are described as common baseline targets for organizations of any size.
They cover IT and operational technology, and reflect common high-impact threats and adversary tactics, techniques and procedures observed by CISA, government and industry partners.
The document is not positioned as a complete cybersecurity program.
Its purpose is narrower: to give organizations, especially small and midsize operators, a practical first step toward a stronger security posture.
The goals are not a maturity model.
Organizations are expected to set investment priorities by looking at cost, impact and ease of implementation.
One example in the guidance is the need to ensure that internet-connected systems do not contain known exploited vulnerabilities.
That target is presented as definable and achievable, and as a way to reduce risk from weaknesses used by national-level threat actors.
Why Zero Trust Is Not The Starting Point
The guidance draws a line between useful security models and controls that are practical enough to serve as cross-sector baseline goals.
Zero trust is described as a highly effective approach, but not an appropriate CPG at this stage for many smaller organizations.
The reason is implementation readiness.
Many small organizations could face difficulty deploying zero trust if they have not yet implemented the full set of baseline controls.
The immediate security signal is therefore not a push toward the most advanced architecture, but a focus on practices that can be clearly defined, funded and implemented.
Version 2.0 also reorganizes the goals around the National Institute of Standards and Technology Cybersecurity Framework 2.0, which was released in February 2024.
A new GOVERN function was added, emphasizing organizational leadership, accountability, risk management and the strategic integration of cybersecurity into daily operations.
The full structure is divided into GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER.
OT Risk Moves Into The Core Security Agenda
The update highlights four pressure points for infrastructure security.
Cybersecurity practice has often been centered on business IT systems, while operational technology risk has received less attention.
More connected OT devices can expose critical infrastructure to severe threats when basic controls are weak.
The guidance also points to weak or missing OT security programs.
It names basic control gaps around multifactor authentication, password management and backups, while noting that resource-constrained organizations can struggle to choose which investments deliver the largest improvement.
For Japanese infrastructure operators, the watchpoint is how the worksheet is used.
CISA provides a goal list and a worksheet that helps asset owners and operators estimate implementation cost, complexity and impact.
Organizations are advised to identify which goals are already implemented, prioritize high-value gaps, begin implementation, and review progress after 12 months.
The next signal is whether operators treat the translation as a procurement and governance checklist, not only as a compliance document.
If the worksheet is used to fund practical controls, the baseline could help narrow gaps before OT exposure and legacy security weaknesses become harder to manage.
