Cyber Security Readiness Goals (Canadian Centre for Cyber Security) — v1.0

Canadian Centre for Cyber Security Cyber Security Readiness Goals—36 cross-sector goals aligned to NIST CSF 2.0 to help organizations improve resilience, published by the Government of Canada.

The Canadian Centre for Cyber Security (Government of Canada) published the Cyber Security Readiness Goals (CRGs) to help organizations strengthen the security and resilience of the systems they rely on most. The CRGs are designed to be practical and cross-sector—clear priorities that can guide real implementation work, not just policy discussion.

These goals were developed in response to an increasingly challenging threat landscape affecting critical infrastructure and essential services. While the CRGs were created with that environment in mind, the guidance is broadly useful: any organization can apply the goals to improve cyber security posture, reduce operational risk, and build a more resilient approach to prevention, detection, response, and recovery.

A key strength of the CRGs is their structure. The document sets out 36 foundational goals aligned to the six pillars of the NIST Cybersecurity Framework (CSF) 2.0. This alignment helps technical teams map work to an established model, while giving leadership a clear way to understand coverage and maturity over time. Each goal is intended to support consistent decision-making—what to prioritize first, what to standardize, and what to measure.

The CRGs also reflect how modern incidents actually unfold. Cybercrime and ransomware continue to target organizations of all sizes, often through common weaknesses like credential theft, poor access controls, exposed remote services, and inconsistent logging. The goals reinforce the fundamentals that reduce those risks: strong identity and access management, secure configuration, segmentation, durable backups, and dependable monitoring. The intent is not to add complexity, but to reduce preventable exposure and shorten recovery time when something goes wrong.

Another important theme is governance. Cyber security is not only a technical function; it requires ownership, accountability, and coordination across the organization. The CRGs support clearer responsibilities, better risk communication, and more consistent alignment between operational needs and security decisions. For organizations without large security teams, this is especially valuable because it helps establish a shared playbook across IT, operations, and leadership.

Used well, the CRGs can serve as a roadmap: a way to translate high-level resilience into concrete tasks, prioritize improvement across phases, and confirm that “the basics” are covered before investing in more complex initiatives. For organizations already following formal standards, the CRGs can also work as a practical cross-check that essential outcomes are addressed in day-to-day operations.

Document facts: Effective October 29, 2024; first release. Publisher: Canadian Centre for Cyber Security, Government of Canada. Intended audience: cyber security practitioners and system owners/operators, with broad applicability across sectors.

• Click here to download