CISA Releases 2025 CWE Top 25 and Updated Cybersecurity Performance Goals

Recurring weaknesses and uneven baselines continue to drive risk, zero trust access and micro-segmentation help limit exposure and reduce the blast radius when controls fail.

CISA has released two updates that are focused on improving cybersecurity baselines across critical infrastructure and software ecosystems. In collaboration with MITRE, CISA has published the 2025 CWE Top 25 Most Dangerous Software Weaknesses, identifying critical flaws that are exploited by threat actors to compromise target systems. The agency has also released an updated Cybersecurity Performance Goals 2.0, updating its guidance for owners and operators of critical infrastructure organizations. Together, the releases reflect the agency’s continued focus and efforts towards reducing systemic risk in digital security by addressing common weaknesses in software at the source, while also providing clear and measurable expectations for foundational security practices.

CISA and MITRE Release 2025 CWE Top 25 Software Weaknesses

CISA announced the release of the 2025 CWE Top 25 Most Dangerous Software Weaknesses, developed in collaboration with the Homeland Security Systems Engineering and Development Institute, which is operated by the MITRE Corporation. According to the agency, the annual list highlights critical software weaknesses exploited by adversaries. These weaknesses are used to compromise systems, gain unauthorized access to data, steal data, and disrupt organizations and their services. CISA said that focusing on these weaknesses is central to its Secure by Design and Secure by Demand initiatives, which emphasize addressing security risks earlier in how technology is built and procured. The agency noted that the Top 25 is intended to help organizations concentrate on systemic issues. These issues include injection flaws, access control weaknesses, and memory safety defects, rather than relying primarily on remediation after deployment. CISA and MITRE also stated that using the list to guide development, security, and procurement decisions can help reduce long term remediation costs. It can also support trust with customers and stakeholders, and contribute to stronger overall software resilience.

Access the full article here.

CISA Updates Cybersecurity Performance Goals for Critical Infrastructure

CISA has released an updated version of its Cross-Sector Cybersecurity Performance Goals, known as CPG 2.0, aimed at critical infrastructure owners and operators. The agency said the updated guidance outlines measurable, outcome focused actions intended to help owners and operators at critical infrastructure organizations establish a foundational level of cybersecurity. According to CISA, the revisions reflect lessons learned and align the goals with recent updates to the NIST Cybersecurity Framework. The update also adds a stronger emphasis on governance, highlighting its role in accountability, risk management, and the integration of cybersecurity into daily operations. CISA stated that the refreshed goals are designed to provide a consistent baseline for managing cyber risk, supporting investment decisions, and addressing security across both information technology and operational technology environments.

Access the full article here.

Yisda Takeaways

The latest releases from CISA reinforce how cyber risk continues to be shaped by recurring software weaknesses and uneven baseline practices across critical infrastructure and enterprise environments. The 2025 CWE Top 25 underscores how foundational flaws remain widely exploitable when they are not addressed early in design and development. At the same time, Cybersecurity Performance Goals 2.0 emphasizes the role of clear governance, accountability, and measurable actions in managing risk across both IT and operational technology environments. Together, these efforts highlight the value of addressing risk earlier, establishing consistent security practices, and reducing exposure through preventative controls rather than relying primarily on downstream remediation.