CISA launches CI Fortify roadmap

Critical infrastructure is the stuff that keeps normal life normal — water, power, telecoms, transport, hospitals. CISA’s new CI Fortify initiative is about a nasty but realistic scenario: hackers don’t just steal data, they try to break those services during a wider crisis. So the agency is telling operators to stop planning around “perfect connectivity” and start planning for degraded, partly disconnected operations. That shift became official on May 5, when CISA rolled out CI Fortify as guidance for operators across all sectors. ### What is CI Fortify? Basically, it is a resilience playbook. CISA says critical-infrastructure operators should be ready to keep essential services running even while under cyberattack. The point is not to stay fully functional in every way. The point is to preserve a minimum viable level of service when things are going wrong fast. ### Why is CISA changing the tone? (cisa.gov) Because the threat model changed. CISA says nation-state actors are already trying to get inside U.S. critical infrastructure, and the agency frames those intrusions as preparation for disruption or destruction during a geopolitical conflict — not just espionage. That is a much harsher assumption than the old model where security teams mostly focused on preventing initial compromise. (cisa.gov) ### What does “isolation” actually mean? It means planning to cut loose from outside dependencies before those dependencies become the thing that kills your operations. CISA says operators should assume third-party telecoms, internet access, vendors, service providers, and other upstream connections may be unreliable in a conflict scenario. So isolation means figuring out which systems are truly vital, separating them from business networks and third parties, and running in that reduced state for weeks or even months if needed. (cisa.gov) ### And what about “recovery”? Recovery is the second half of the idea. If isolation fails, or if some systems still get hit, operators need a way to restore the important parts quickly while staying isolated. That means documenting systems, backing up critical files, rehearsing replacement of damaged components, and practicing transitions to local or manual control. In plain English — know how to keep the plant, utility, or service alive without waiting for the whole digital stack to come back. (cisa.gov) ### Why does manual operation matter so much? Because modern infrastructure is deeply entangled. A utility may depend on remote access, centralized identity, outside communications, cloud tooling, and vendor support all at once. That is efficient in peacetime, but brittle in a crisis. Manual fallback is the cybersecurity version of keeping a paper map in the car — slower, uglier, but sometimes the only thing that still works when the nice system disappears. (cisa.gov) ### Who is this aimed at? Formally, all 16 U.S. critical-infrastructure sectors. In practice, the message lands especially hard with operators of operational technology — the industrial systems behind energy, water, communications, transportation, and other lifeline services. State and local entities are part of that picture, but CI Fortify is broader than a state-and-local checklist. It is national continuity guidance. (cisa.gov) ### So what changed today? The big change is that CISA packaged this as a named initiative, not just another best-practices memo. CI Fortify now sits on CISA’s site as a featured campaign, with a clear operating assumption: hostile actors may already have some access, and outside connections may not be there when you need them. That makes resilience architecture — isolation, degraded operations, fast recovery — the center of the strategy. (cisa.gov) ### Bottom line? CI Fortify is CISA saying the quiet part out loud: for critical infrastructure, “secure” is no longer enough. Systems have to be survivable. If the network is dirty, the vendors are unreachable, and communications are flaky, the service still has to limp on. That is the roadmap now. (cisa.gov 1) (cisa.gov 2)