CISA & Critical Infrastructure Protection

The Cybersecurity and Infrastructure Security Agency (CISA) — established by the CISA Act of 2018 (6 U.S.C. §§ 651–674) within the Department of Homeland Security — is the federal agency responsible for protecting the nation's critical infrastructure from both physical and cyber threats. CISA coordinates across 16 designated critical infrastructure sectors (energy, financial services, healthcare, water, transportation, IT, communications, and 9 more), working with Sector Risk Management Agencies (SRMAs) and private sector operators who own approximately 85% of U.S. critical infrastructure. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022) was the landmark shift from voluntary to mandatory: covered entities in critical infrastructure must report significant cyber incidents within 72 hours and ransomware payments within 24 hours — rules being phased in through 2025–2026 as CISA finalizes implementing regulations. The SolarWinds supply chain attack (2020) and Colonial Pipeline ransomware attack (2021) — which shut down fuel supplies across the Eastern U.S. for six days — were the catalysts for CIRCIA and for treating critical infrastructure cybersecurity as a national security emergency rather than a compliance exercise. CISA also manages the #Protect2024 election security program and provides free vulnerability scanning, incident response assistance, and cybersecurity assessments to state and local governments. The Trump administration has proposed significant CISA budget cuts and staffing reductions in 2025, generating concern in the cybersecurity community about reduced capacity.

Current Law (2026)

Legal Authority

• 6 U.S.C. § 652 — CISA establishment and mission (CISA is the federal lead for cybersecurity and infrastructure security; responsible for protecting federal civilian networks, coordinating critical infrastructure security, and sharing threat information)
• 6 U.S.C. § 659 — National cybersecurity and communications integration center (NCCIC is CISA's 24/7 center for cybersecurity situational awareness, incident response, and information sharing with federal, state, local, and private sector partners)
• 6 U.S.C. § 1503 — Cybersecurity Information Sharing Act authorizations (private entities may monitor information systems and share cyber threat indicators with the federal government; legal protections for good-faith sharing including liability protection and antitrust exemption)
• 6 U.S.C. § 652a — Sector Risk Management Agencies (SRMAs review and coordinate critical infrastructure protection across all 16 sectors; each sector assigned a lead federal agency)
• 6 U.S.C. § 653 — Cybersecurity Division (led by Executive Assistant Director for Cybersecurity with rank of Assistant Secretary; manages federal network defense, threat intelligence, and incident response)
• 6 U.S.C. § 654 — Infrastructure Security Division (led by Executive Assistant Director for Infrastructure Security; manages physical security assessments, chemical facility security, and soft target protection)
• 6 U.S.C. § 655 — Enhancement of Federal and non-Federal cybersecurity (CISA provides threat information, technical assistance, and cybersecurity tools to state/local governments and private critical infrastructure operators upon request)
• 6 U.S.C. § 663 — Federal intrusion detection and prevention system (EINSTEIN — monitors network traffic entering and leaving federal civilian agency networks; identifies known malicious signatures and blocks threats automatically)
• 6 U.S.C. § 664 — National asset database (critical infrastructure inventory cataloging nationally significant systems and assets for vulnerability assessment)
• 6 U.S.C. § 665 — .gov domain management (CISA manages registration of .gov internet domains for all federal, state, local, and tribal government entities at no cost)
• 6 U.S.C. § 665b — Joint Cyber Planning Office (cross-sector cyber defense planning bringing together government agencies and private sector critical infrastructure operators)
• 6 U.S.C. § 665j — Joint Ransomware Task Force (CISA leads interagency task force with FBI and DOJ to disrupt ransomware threats, support victims, and share threat intelligence)
• 6 U.S.C. § 1501-1508 — Cybersecurity Information Sharing Act (legal framework for private sector sharing of cyber threat indicators with government; liability protection; privacy safeguards; FOIA exemption; congressional reporting)
• 6 U.S.C. § 1523 — Federal cybersecurity requirements (CISA Director issues binding operational directives; agencies must implement NIST standards; DHS provides tools and services including intrusion detection and prevention)

How It Works

CISA is the newest major federal agency — created in 2018 by elevating DHS's cybersecurity and infrastructure protection functions into a standalone agency. It serves as the nation's risk advisor for both cyber and physical infrastructure threats, filling a critical gap in the federal government's ability to defend against increasingly sophisticated attacks.

The U.S. designates 16 critical infrastructure sectors — systems and assets whose incapacitation would have a debilitating effect on security, the economy, public health, or safety: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors/materials/waste, transportation systems, and water/wastewater. Each sector has a designated Sector Risk Management Agency (SRMA) — DOE for energy, HHS for healthcare, Treasury for financial services — responsible for coordinating sector security and resilience. CISA coordinates across all 16 sectors and protects federal civilian agency networks (the ".gov" domain) through the Einstein intrusion detection system, the Continuous Diagnostics and Mitigation (CDM) program providing agencies real-time visibility into their cyber posture, and Binding Operational Directives requiring agencies to take specific security actions (patching known vulnerabilities, implementing multi-factor authentication). CISA does NOT have authority over military/intelligence networks (NSA/Cyber Command) or private sector networks — it advises but cannot mandate.

The Cybersecurity Information Sharing Act of 2015 created a legal framework for sharing cyber threat indicators between the private sector and CISA through the Automated Indicator Sharing (AIS) platform, with liability immunity and antitrust exemption for participating companies. CISA aggregates indicators and shares them back, creating a collective defense model — though participation remains voluntary and many companies are reluctant to share due to reputational concerns. Since 2017, CISA has also played a central role in election security, providing cybersecurity assessments, incident response support, and threat information to state and local election officials. When major cyber incidents strike critical infrastructure or federal networks — SolarWinds (2020), Colonial Pipeline (2021), Log4Shell (2021) — CISA leads the civilian government response, coordinating with the FBI (criminal investigation) and ODNI (intelligence response) under the Cyber Unified Coordination Group framework.

How It Affects You

If you operate critical infrastructure (energy, water, healthcare, financial services, transportation): CISA provides a suite of free cybersecurity services — vulnerability assessments of your industrial control systems, penetration testing, threat intelligence briefings, and 24/7 incident response support. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022) will require mandatory reporting of covered cyber incidents to CISA within 72 hours and ransomware payments within 24 hours once CISA finalizes its rulemaking (anticipated 2025-2026). Sign up for your sector's Information Sharing and Analysis Center (ISAC) — sector-specific groups for energy (E-ISAC), healthcare (H-ISAC), financial services (FS-ISAC), and others share real-time threat indicators among members with legal protection under the Cybersecurity Information Sharing Act. The CISA Known Exploited Vulnerabilities (KEV) catalog at cisa.gov is free and lists every vulnerability known to be actively exploited — prioritizing patches from this list is the most defensible vulnerability management practice available.

If you work in federal agency IT or cybersecurity: CISA's Binding Operational Directives (BODs) are mandatory for civilian federal agencies — BOD 22-01 required all agencies to remediate every entry in the KEV catalog within tight deadlines (2 weeks for critical-severity). The Continuous Diagnostics and Mitigation (CDM) program provides real-time visibility dashboards for your agency's cybersecurity posture at no cost. The Einstein intrusion detection and prevention system monitors .gov network traffic. When you experience a significant cyber incident, the Cyber Unified Coordination Group (CISA, FBI, ODNI) framework governs the coordinated federal response. CISA should be notified of significant incidents on federal civilian networks — they provide response resources and coordinate across agencies to identify breadth of compromise (SolarWinds in 2020 and Log4Shell in 2021 showed how quickly a single vulnerability spreads across .gov infrastructure).

If you're a state or local election official: CISA's election security team provides free cybersecurity services specifically for election infrastructure — vulnerability scanning of election management systems, physical security assessments of election facilities, penetration testing, tabletop exercises simulating election-day cyberattacks, and 24/7 incident response support during elections. These services are available to all 50 states and thousands of counties at no cost. CISA's Rumor Control website (cisa.gov/rumorcontrol) provides real-time fact-checking of election-related misinformation for public distribution. The Multi-State ISAC (MS-ISAC), coordinated by the Center for Internet Security with CISA support, provides cybersecurity information sharing specifically for state and local government — including election agencies. Reach out to your CISA regional office well before the election cycle to schedule assessments, as demand is high in election years.

If you're a private sector cybersecurity professional: CISA has become one of the most practically useful sources of actionable threat intelligence for commercial organizations. The KEV catalog at cisa.gov lists every vulnerability known to be actively exploited — use it to prioritize your remediation queue above CVSS scores alone. CISA's joint cybersecurity advisories (co-authored with FBI, NSA, and international partners) are free and typically include indicators of compromise, detection signatures, and mitigation steps. Sharing threat indicators through the Automated Indicator Sharing (AIS) platform is voluntary and legally protected — you receive liability immunity and antitrust exemption under the Cybersecurity Information Sharing Act for good-faith sharing. CISA's Secure by Design initiative is shifting liability conversations toward software manufacturers; following its guidance can strengthen your organization's vendor security requirements. CISA's free cybersecurity assessment tools (CSET, CHIRP, and others) provide structured frameworks for industrial control system and enterprise security reviews.

State Variations

• CISA's authorities are federal, but cybersecurity is a shared responsibility with state and local governments
• Many states have established their own cybersecurity offices and critical infrastructure programs
• State data breach notification laws (all 50 states) complement federal cybersecurity efforts
• Multi-State Information Sharing and Analysis Center (MS-ISAC) coordinates cybersecurity for state/local/tribal governments
• State election systems are independently operated but receive CISA support for security

Implementing Regulations

• 6 CFR Part 27 — Chemical Facility Anti-Terrorism Standards (CFATS): the DHS regulatory framework requiring high-risk chemical facilities to develop and implement security plans covering their most dangerous materials. CFATS is the primary federal program for securing the chemical sector against terrorist attack. Key provisions:

  • § 27.200 / § 27.203 — Top-Screen reporting: facilities possessing any "Chemical of Interest" (Appendix A) at or above its Screening Threshold Quantity (STQ) must file a Top-Screen with DHS through the Chemical Security Assessment Tool (CSAT); STQ calculations exclude chemicals in building materials, routine cleaners, food/drugs/cosmetics, and non-contact cooling water; for release-toxic chemicals, only mixtures containing at least 1% by weight count toward the STQ
  • § 27.205 — Risk determination: the Executive Assistant Director for CISA may designate a facility as "high risk" at any time based on its chemicals, operations, proximity to population centers, or other factors; designation can also flow from a Top-Screen result showing the facility could cause mass casualties if attacked, contaminated, or sabotaged
  • § 27.220 — Four-tier risk ranking: covered (high-risk) facilities are placed into Tier 1 (highest risk), Tier 2, Tier 3, or Tier 4 (lowest risk); Tier 1 facilities face the most stringent security requirements, highest inspection frequency, and longest review timelines for their security plans
  • § 27.215 — Security Vulnerability Assessment (SVA): Tier 1–4 facilities must complete a five-part SVA identifying critical assets and potential attack scenarios; the five components are: (1) asset characterization (hazards, consequences); (2) threat analysis; (3) vulnerability analysis; (4) risk assessment; (5) countermeasures analysis
  • § 27.225 / § 27.230 — Site Security Plan (SSP): the facility must write a plan addressing each weakness found in its SVA and specifying which security measures it will use — drawn from 18 Risk-Based Performance Standards (RBPS) covering perimeter security, access control, personnel surety, theft and diversion prevention, cyber security, emergency response, and training; DHS evaluates plans based on outcomes (does this mix of measures achieve the required risk reduction?) rather than prescriptive requirements
  • § 27.235 — Alternative Security Programs: a Tier 4 facility may submit an existing security program (state, local, or industry program) if DHS determines it achieves equivalent security; allows facilities already subject to robust security requirements (ports, military contractors) to avoid duplicative planning
  • § 27.250 — Inspections: after a Site Security Plan receives preliminary approval, DHS will inspect the facility on-site; subsequent compliance inspections may occur with or without advance notice
  • § 27.300 — Enforcement: DHS may issue Orders to correct violations; noncompliance can result in civil penalties or an order to cease operations until the security deficiency is corrected; a neutral adjudications process (§§ 27.305–27.345) provides due process before any Order becomes final
  • § 27.400 — Chemical-Terrorism Vulnerability Information (CVI): all CFATS submissions (Top-Screens, SVAs, SSPs, inspection records) are designated CVI — protected from public disclosure under a DHS-specific classification; CVI may not be released under FOIA; employees who handle CVI must receive training; unauthorized CVI disclosure can result in civil penalties up to $25,000/day and criminal prosecution
  • § 27.405 — Federal preemption: CFATS preempts any state or local law that conflicts with or undermines the federal chemical security requirements; EPA emergency planning requirements (EPCRA, Risk Management Plans) and OSHA Process Safety Management rules continue in parallel — facilities subject to CFATS typically must also comply with EPA and OSHA chemical safety rules covering the same materials

  CFATS applies to roughly 3,000–4,000 high-risk chemical facilities including petrochemical plants, fertilizer storage, water treatment facilities (those using chlorine or ammonia for disinfection), semiconductor manufacturers, cold storage facilities (anhydrous ammonia refrigerants), and explosives manufacturers. Facilities excluded by statute include those regulated under the Maritime Transportation Security Act, public water systems, facilities regulated by the Nuclear Regulatory Commission, and agricultural on-farm facilities. The program's focus on risk-based outcomes rather than prescriptive rules makes it structurally different from most federal safety regulations.

• 6 CFR Part 29 — Protected Critical Infrastructure Information (PCII) Program: implementing regulation for the Critical Infrastructure Information Act of 2002 (6 U.S.C. §§ 671–674), which created a voluntary information-sharing program encouraging private sector operators of critical infrastructure to share sensitive vulnerability information with DHS/CISA without fear that the information will be disclosed to the public or used in civil litigation:

  • § 29.1 — Program purpose: the PCII program is built on a fundamental problem in critical infrastructure protection — private companies that own and operate most critical infrastructure (power grids, water systems, financial networks, pipelines) are reluctant to share vulnerability information with the government if they fear it will be disclosed under FOIA, shared with state and local regulators, or used by private plaintiffs in lawsuits; the PCII program addresses this by creating a protected category of voluntarily submitted information: once information is designated PCII, it is exempt from FOIA, exempt from use in civil litigation, and can only be used for homeland security purposes
  • § 29.3 — FOIA exemption: PCII is categorically exempt from disclosure under the Freedom of Information Act; it also cannot be made subject to disclosure by any state or local sunshine law or FOIA equivalent; the protection is durable — even if the submitter revokes the information, existing PCII designations remain protected; this breadth of protection was what Congress determined necessary to induce meaningful voluntary disclosure by the private sector
  • § 29.4 — Program administration: the PCII Program Manager (within CISA) is responsible for receiving, validating, storing, and disseminating PCII; DHS must implement access controls ensuring that only authorized users with a demonstrated need for the information for homeland security purposes can view PCII; analysts who improperly disclose PCII face criminal penalties under the statute
  • Practical significance: PCII is used primarily by CISA and sector-specific agencies (DOE for energy, DOT for transportation, HHS for healthcare) when conducting vulnerability assessments of critical infrastructure sectors; private companies submit detailed network diagrams, security gap analyses, and physical vulnerability information they would never disclose publicly; in return, CISA analysts can provide tailored, specific security recommendations; the program has been most active in the energy, water, and financial sectors; Recent rulemakings: 69 FR 28066 (May 2004) — original PCII program final rule.

• 6 CFR Part 158 — Cybersecurity Talent Management System (CTMS purpose, DHS Cybersecurity Service, positions/employees, CTMB oversight, core values, strategic talent planning, talent market analysis, work valuation, compensation for advisory appointees)

Pending Legislation

• HR 7744 — DHS FY2026 funding with boosts to CISA cybersecurity, FEMA disaster aid, and border operations. Status: Passed House.
• S 3251 — Reauthorize State and Local Cybersecurity Grant Program for FY2026, $300 million, 60-70% federal cost shares. Status: Introduced.
• HR 6429 — Expand CISA program to recruit/train cybersecurity workers from disadvantaged groups. Status: Introduced.
• S 3404 — Federal framework for commercial satellite cybersecurity, public clearinghouse, GAO study. Status: Introduced.
• HR 7266 — DOE grants for cybersecurity at rural and small municipal utilities, $250M for 2026-2030. Status: In committee.
• HR 7885 — $10M pilot for cybersecurity training in postsecondary technical programs serving critical infrastructure. Status: Introduced.
• HR 5868 — Require community water systems to take cybersecurity training, extend risk-and-resilience timelines. Status: Introduced.
• HR 6505 — NTIA-run NG9-1-1 grant program with cybersecurity center and advisory board. Status: In committee.

Recent Developments

• CISA's Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022) established mandatory incident reporting requirements for critical infrastructure — rulemaking underway
• CISA's Secure by Design initiative has pushed software manufacturers to adopt more secure development practices
• The agency's Known Exploited Vulnerabilities catalog has become a de facto standard for vulnerability prioritization
• AI-related cybersecurity threats and defenses are an emerging CISA focus area — see Space Weather Policy for another threat to critical infrastructure from natural causes
• CISA has expanded international partnerships for cyber threat intelligence sharing and critical infrastructure protection
• Trump DOGE cuts to CISA in 2025: CISA faced significant workforce reductions — approximately 130 employees were let go in an early round of cuts, with further reductions proposed; the agency's Election Security team was particularly affected, raising bipartisan concerns ahead of the 2026 midterms.
• Salt Typhoon telecom intrusion (disclosed late 2024): Chinese state actors compromised at least nine major U.S. telecommunications carriers, accessing metadata and call content for high-value targets; CISA issued emergency guidance requiring federal agencies to adopt quantum-resistant communications protocols by 2025 deadlines.
• CISA director Sean Plankey nomination stalled: Trump nominated Plankey to lead CISA but his confirmation was delayed in the Senate through mid-2025; the agency operated under acting leadership during a period of major foreign cyber threats, limiting CISA's ability to coordinate cross-sector incident response.