PRIA Logo
Start Free Watch
Back to search
GovernmentHomeland Security & Emergency Management

CISA & Federal Cybersecurity

9 min read·Updated Apr 21, 2026

CISA & Federal Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) is the federal agency responsible for protecting U.S. critical infrastructure — the systems and assets essential to national security, public health, and economic stability — from both cyber and physical threats. Created in 2018 within the Department of Homeland Security, CISA coordinates cybersecurity across 16 critical infrastructure sectors (energy, water, financial, healthcare, communications, and more), shares threat intelligence with private sector operators, and responds to significant cyberattacks. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires companies in covered sectors to report significant cyber incidents to CISA within 72 hours and ransom payments within 24 hours — regulations still being finalized as of 2026. CISA also manages the federal government's EINSTEIN intrusion detection system and coordinates "whole-of-government" responses to major incidents like the SolarWinds hack (2020) and Colonial Pipeline ransomware attack (2021). The agency has faced political pressure over its election security work and disinformation activities, with congressional Republicans critical of its role in coordinating with social media platforms during the 2020-2022 election cycles.

Current Law (2026)

ParameterValue
AgencyCybersecurity and Infrastructure Security Agency (CISA), within DHS
EstablishedNovember 16, 2018 (renamed from NPPD)
Cyber incident reporting72 hours for covered entities (CIRCIA)
Ransom payment reporting24 hours
.gov domainCISA manages registration for all government entities
State coordinators1 per state (Cybersecurity State Coordinator)
EINSTEIN systemFederal intrusion detection across civilian agencies
  • 6 U.S.C. § 652 — Cybersecurity and Infrastructure Security Agency (establishment, renaming from NPPD, Director role)
  • 6 U.S.C. § 652a — Sector Risk Management Agencies (review of critical infrastructure protection across sectors)
  • 6 U.S.C. § 653 — Cybersecurity Division (led by Executive Assistant Director for Cybersecurity)
  • 6 U.S.C. § 654 — Infrastructure Security Division (led by Executive Assistant Director for Infrastructure Security)
  • 6 U.S.C. § 655 — Enhancement of Federal and non-Federal cybersecurity (technical assistance to state, local, and private sectors)
  • 6 U.S.C. § 658 — Cybersecurity recruitment and retention (excepted service hiring authority, competitive pay)
  • 6 U.S.C. § 659 — National Cybersecurity and Communications Integration Center (NCCIC — the operational hub for cyber threat sharing)
  • 6 U.S.C. § 660 — Cybersecurity plans (routine scanning, intrusion detection, removal across federal systems)
  • 6 U.S.C. § 663 — Federal intrusion detection and prevention system (EINSTEIN — network monitoring for federal agencies)
  • 6 U.S.C. § 664 — National asset database (critical infrastructure inventory)
  • 6 U.S.C. § 665 — .gov internet domain management (registration for federal, state, local, tribal entities)
  • 6 U.S.C. § 665b — Joint Cyber Planning Office (cross-sector cyber defense planning)
  • 6 U.S.C. § 665c — Cybersecurity State Coordinator (one per state, liaison for public/private cybersecurity)
  • 6 U.S.C. § 665j — Joint Ransomware Task Force (CISA Director leads interagency ransomware task force with FBI, DOJ, and National Cyber Director; coordinates disruption, victim support, and threat intelligence sharing)
  • 6 U.S.C. § 1500 — Office of the National Cyber Director (Senate-confirmed Director within the Executive Office of the President; advises on national cybersecurity policy, coordinates federal cyber defense, and leads incident response strategy across agencies)
  • 6 U.S.C. § 1501-1508 — Cybersecurity Information Sharing Act of 2015 (authorizes private entities to monitor information systems and share cyber threat indicators with the federal government; CISA is the primary receiving entity; shared indicators receive liability protection, FOIA exemption, and antitrust exemption; privacy guidelines required; congressional oversight reports)
  • 6 U.S.C. § 1523 — Federal cybersecurity requirements (CISA Director issues binding operational directives requiring agencies to adopt cybersecurity policies and standards; covers patching known vulnerabilities, multi-factor authentication, endpoint detection)
  • 6 U.S.C. § 1531 — Apprehension of international cyber criminals (Secretary of State coordinates with foreign governments to pursue cybercriminals in countries with limited U.S. extradition cooperation)
  • 6 U.S.C. § 1533 — Improving cybersecurity in the health care industry (HHS reporting on healthcare cybersecurity best practices and preparedness; voluntary cybersecurity standards for the healthcare sector)
  • 6 U.S.C. § 1534 — Cybercrime (DOJ/FBI and DHS/HSI retention pay up to 25% for cyber-skilled staff working on cybercrime, trafficking, and technology-facilitated crimes against children)

Implementing Regulations (CFR)

  • 6 CFR 158.201 — CISA cybersecurity mission (establishment of cybersecurity as a core DHS mission area under the DHS Cybersecurity Talent Management System)
  • 6 CFR 158.202 — Cybersecurity Service (DHS-CS) (structure and scope of the DHS cybersecurity workforce)
  • 6 CFR 158.302 — Cybersecurity Talent Management Board (governance structure for cybersecurity talent management decisions)
  • 6 CFR 25.9 — Procedures for certification of approved products for Homeland Security (SAFETY Act product certification for anti-terrorism technologies)

How It Works

The Cybersecurity and Infrastructure Security Agency (CISA) is the federal government's lead agency for protecting critical infrastructure and coordinating cybersecurity across the public and private sectors. CISA was created in 2018 when Congress renamed and elevated the National Protection and Programs Directorate (NPPD) within DHS.

CISA is organized around two main missions. The Cybersecurity Division defends federal networks, shares threat intelligence, responds to cyber incidents, and helps state/local governments and private companies improve security posture. The Infrastructure Security Division handles physical threats — assessing vulnerabilities, protecting soft targets, and securing chemical facilities. CISA's operational heart is the National Cybersecurity and Communications Integration Center (NCCIC), which operates 24/7 as the central hub for cyber threat information sharing, receiving incident reports, analyzing malware and vulnerabilities, issuing alerts, and coordinating response across agencies. The EINSTEIN system monitors network traffic entering and leaving federal civilian agency networks, identifies known malicious signatures, and can block certain threats automatically.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires covered entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours; CISA must protect reported information from public disclosure and cannot use it for regulatory enforcement. The Cybersecurity Information Sharing Act (CISA 2015) (6 U.S.C. §§ 1501–1508) provides the legal backbone for the public-private cyber defense model: private entities that share cyber threat indicators with CISA receive liability immunity, FOIA exemption, and antitrust exemption — enabling companies to share threat data with competitors without antitrust risk. CISA deploys a Cybersecurity State Coordinator in each state and provides free vulnerability scanning, penetration testing, and cybersecurity assessments to state and local governments and critical infrastructure operators. The National Cyber Director — a Senate-confirmed position in the Executive Office of the President created by the Cybersecurity Act of 2015 (6 U.S.C. § 1500) — advises on national cybersecurity policy and bridges the gap between CISA's operational work and White House strategy.

CISA leads the Joint Ransomware Task Force (§ 665j), an interagency body coordinating with the FBI and DOJ to disrupt ransomware operations, support victims, and share threat intelligence. For healthcare-specific threats, § 1533 directs HHS to develop voluntary cybersecurity best practices in coordination with CISA. The federal government also offers retention pay of up to 25% above base salary for cybersecurity-skilled investigators at DHS and DOJ (§ 1534) — a recognition that recruiting and retaining cyber talent requires competing with private sector compensation.

How It Affects You

If you operate critical infrastructure — a power plant, water utility, hospital, financial institution, pipeline, data center, or any facility in one of CISA's 16 designated sectors — your cybersecurity obligations and available resources have both expanded significantly. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires covered entities to report significant cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred, and to report ransomware payments within 24 hours. Final CIRCIA rules defining exactly which organizations are "covered entities" are still being developed as of 2026 — watch for the NPRM at cisa.gov/circia. What you can access for free right now: CISA's Cybersecurity Performance Goals (CPGs) — a prioritized set of baseline security practices published at cisa.gov/cpg — provide a concrete starting checklist. CISA's External Dependencies Management program offers free assessments of your supply chain cyber risks. CISA vulnerability scanning and penetration testing is available at no cost by requesting through cisa.gov/cyber-resource-hub. If you're in healthcare, energy, or water — sectors that have faced targeted attacks from state-sponsored and ransomware actors — CISA's sector-specific advisories and the Joint Cyber Defense Collaborative (JCDC) offer threat intelligence not available through commercial channels.

If you run a state, local, tribal, or territorial government entity, CISA's free services catalog is your most underutilized resource. Your Cybersecurity State Coordinator — one per state, find yours at cisa.gov/cybersecurity-state-coordinators — is your direct federal liaison for cyber assistance. Free services available to you: phishing campaign assessments (test your employees' susceptibility), web application scanning (check your public-facing systems for vulnerabilities), remote penetration testing, incident response planning workshops, and direct incident response support when you're under attack. The State and Local Cybersecurity Grant Program (SLCGP) — authorized at $1 billion over 4 years — provides federal funding for state and local cybersecurity improvement plans; check status at cisa.gov/slcgp. The .gov domain is free and available to any U.S. government entity, including special districts, school boards, and counties — it signals official government status and comes with additional security protections. Register at get.gov. If you're running critical election infrastructure, CISA's Election Security team provides specialized support free of charge.

If you're a private-sector business or technology company, CISA's resources are less widely known than they should be. Shields Up (cisa.gov/shields-up) provides actionable advisories during heightened threat periods — when a major vulnerability like Log4Shell or a significant geopolitical escalation increases attack risk, Shields Up publishes specific mitigation steps. The Known Exploited Vulnerabilities (KEV) catalog (cisa.gov/known-exploited-vulnerabilities-catalog) — a list of CVEs actively exploited in the wild — tells you which patches are genuinely urgent rather than just theoretically important; federal agencies are required to patch KEV vulnerabilities on a schedule, and private companies that use the KEV as a patching priority list are applying the same risk-based logic. To share threat intelligence and receive it in return, enroll in the Automated Indicator Sharing (AIS) program at cisa.gov/ais — the Cybersecurity Information Sharing Act gives participating companies liability protection, FOIA exemption, and antitrust exemption for good-faith sharing. Report cyber incidents at report.cisa.gov or 1-888-282-0870 — reports are protected from public disclosure and cannot be used against you in regulatory proceedings.

If you're a cybersecurity professional looking at federal employment, CISA operates under a Cybersecurity Talent Management System (CTMS) that allows it to hire, retain, and pay differently than standard federal civilian positions — competitive salaries outside the GS schedule, direct-hire authority for hard-to-fill roles, and retention bonuses. The Cybersecurity Education and Training Assistance Program (CETAP) funds K-12 cyber education. CISA's CyberWarrior and CyberSkills Management Support Initiative hire for non-traditional backgrounds — people with skills but without four-year CS degrees. For private-sector professionals considering federal service: CISA positions often offer access to classified threat intelligence, interagency coordination experience, and mission-driven work that's difficult to replicate commercially. Visit cisa.gov/careers for current openings.

State Variations

This is exclusively federal law — no state variations apply to CISA's structure or authority. However, all 50 states now have their own cybersecurity strategies and many have enacted state-level cyber incident reporting laws for different sectors (healthcare, financial services, utilities). State laws vary significantly in reporting timelines (24 hours to 60 days), covered entities, and notification requirements.

Pending Legislation

  • S 3251 — State and Local Cybersecurity Grant Program Reauthorization Act: reauthorizes for FY2026, $300M, federal cost shares at 60-70%. Status: Introduced.
  • HR 6429 — Expanding Cybersecurity Workforce Act of 2025: expands CISA program to recruit and train cybersecurity workers from disadvantaged groups. Status: Introduced.
  • S 3404 — Satellite Cybersecurity Act of 2025: federal framework for commercial satellite cybersecurity with clearinghouse and GAO study. Status: Introduced.
  • HR 5868 — Water Cybersecurity Enhancement Act of 2025: requires community water systems to take cybersecurity training. Status: Introduced.
  • HR 7266 — Rural and Municipal Utility Cybersecurity Act: DOE grants for rural/small utility cybersecurity, $250M for 2026-2030. Status: In Committee.
  • S 4074 — Fund CISA Personnel Act of 2026: keeps CISA staff paid during funding lapse through Sept. 30, 2026. Status: Introduced.

Recent Developments

CISA has rapidly expanded since its 2018 creation, with particular growth after the SolarWinds supply chain attack (2020) and the Colonial Pipeline ransomware attack (2021). CIRCIA rulemaking is ongoing, with final rules defining covered entities and reporting requirements expected by 2026. CISA's Joint Cyber Defense Collaborative (JCDC) brings together government and major technology companies for cyber defense planning. The agency has also taken a lead role in election infrastructure security.

In April 2026, the White House unveiled President Trump's cyber strategy, outlining federal priorities for cybersecurity defense, critical infrastructure protection, and deterrence of state-sponsored cyber threats.

  • In February 2026, CISA continued implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires critical infrastructure owners and operators to report significant cyber incidents and ransomware payments to the federal government — the most significant expansion of federal cybersecurity reporting requirements since the agency's creation.