CISA pushes CI‑Fortify isolation plan

Critical infrastructure is the stuff that has to keep working even on a very bad day — power, water, transport, hospitals, telecoms. The awkward truth is that a lot of it now depends on outside networks, cloud services, vendors, and internet links that may vanish right when an attacker wants maximum disruption. That is the gap CISA is trying to close with CI Fortify, a new initiative released May 5 that tells operators to plan for cyberattacks by assuming they may have to run while partially cut off. ### What changed? CISA did not just publish another general resilience memo. It launched CI Fortify as a named initiative and centered it on two emergency capabilities: isolation and recovery. In plain English, the agency wants operators to be able to deliberately disconnect from third-party dependencies and still maintain a baseline of critical service, then restore compromised systems quickly while staying isolated. ### What does “isolation” mean here? Basically, it means planning for a world where the internet, telecom links, remote management, and outside service providers are not available or are too risky to trust. CISA’s wording is blunt: operators should be ready to disconnect from third-party dependencies and operate without reliable telecommunications system may be part of the problem. ### Why is that a big deal? Because modern critical infrastructure is deeply interconnected. CISA itself describes 16 critical-infrastructure sectors as part of a complex ecosystem, and that complexity is exactly what attackers can exploit. If your plant, pipeline, hospital system, or utility only works when every outside connection is healthy, the more the crisis starts. ### Why now? The timing makes sense if you look at recent U.S. warnings about adversaries pre-positioning inside infrastructure. CISA and partner agencies have spent the past two years warning that PRC state-sponsored actors were compromising U.S. critical infrastructure and maintaining persistent access. CI Fortify reads like the operational answer to that threat model — assume essential functions can still limp along. ### What does “recovery while isolated” actually require? This is the part that sounds simple but is hard in practice. Recovery here is not “call the vendor, pull from the cloud, and rebuild normally.” CISA says rapid restoration has to happen while the organization remains isolated, with testing of recovery plans and practice for local and manual operations. So the real requirement is to know how to run them. ### Is this mandatory? No — this is guidance, not a new regulation. But it is still important because CISA is the federal government’s cyber defense agency and national coordinator for critical infrastructure security, and its guidance often shapes how operators, sector partners, and vendors define best practice. Even when it does not carry legal force, it can reset expectations for architecture, procurement, and incident exercises. ### Who needs to care first? Operators in every critical-infrastructure sector, but especially anyone running operational technology that cannot fail cleanly. The organizations with the most homework are the ones that rely heavily on remote administration, centralized identity, cloud dashboards, managed services, or brittle vendor links. If a service cannot survive a clean break from those dependencies, CI Fortify is basically telling you where the weak point is. ### Bottom line? CISA is pushing a harsher but more realistic idea of resilience: not “we have backups,” but “we can still function when the network around us goes dark.” That is expensive, and sometimes inconvenient. But for systems the public depends on every hour of every day, turns out that is the standard now.