CISA pushes three-day remediation target in CI Fortify for critical infrastructure

Critical infrastructure is the stuff that has to keep working when everything else is on fire — water plants, hospitals, power systems, telecom networks. CISA’s new CI Fortify push is about that exact problem. Not “how do we stop every intrusion,” but “how do we keep delivering essential services after an intrusion lands?” That is the real change here. And the separate report that CISA is weighing a three-day remediation target for exploited federal vulnerabilities makes the message even sharper: patch faster, isolate faster, recover faster. ### What is CI Fortify, exactly? CI Fortify is CISA’s new resilience initiative for critical infrastructure, released May 5, 2026. The core assumption is blunt — in a geopolitical conflict, operators should assume third-party telecom, internet, vendors, and service providers may be unreliable, and threat actors may already have some access to operational technology networks. That is a very different planning baseline from normal enterprise security guidance. (cisa.gov) ### Why is that a big shift? Because most cyber programs still center on prevention. CI Fortify centers on continuity. CISA is telling operators to build two emergency capabilities: isolation and recovery. Isolation means deliberately cutting off external dependencies and still running in a degraded state. Recovery means restoring vital systems quickly while still isolated, or switching to local and manual operations if needed. Basically, the plan assumes compromise and asks whether the plant, hospital, or utility can still function. (cisa.gov) ### What does “isolation” mean in practice? It means more than network segmentation on a slide deck. CISA is pushing operators to identify critical customers, define a minimum service target, map the OT and support systems needed to hit that target, and update continuity plans so they can operate for weeks or months with limited outside connectivity. That points straight at microsegmentation, local control paths, manual overrides, and preplanned enforcement points where teams can quarantine parts of the environment fast. (cisa.gov) The guidance does not use all of those product words, but that is the architectural implication. ### Where does the three-day deadline fit in? This is the other half of the story. Separately from CI Fortify, multiple reports say CISA is considering shrinking the default remediation window for exploited federal vulnerabilities to three days. Today’s KEV program already pushes federal civilian agencies to remediate cataloged exploited flaws within prescribed deadlines, and the current benchmark many people know is 14 days for newer high-severity flaws under the 2021 directive. A three-day target would be a major compression of that cycle. (cisa.gov) ### Is that official policy already? No — not yet. The three-day figure is still in the “being discussed” bucket, based on reporting from people familiar with the conversations. That matters, because you should treat it as a policy signal, not a finalized rule. But policy signals from CISA tend to shape behavior before the paperwork is finished, especially for vendors and operators that support federal systems or borrow federal playbooks. (cisa.gov) ### Why push that hard now? Because the gap between disclosure and exploitation keeps shrinking, and CISA’s whole threat framing has gotten more urgent. The agency says nation-state actors have pre-positioned across critical infrastructure and could target operational technology and telecom services during a broader conflict. If that is your threat model, a two-week patch window starts to look leisurely. ### What changes for defenders? (cpomagazine.com) The catch is that you cannot patch your way to this outcome. If the remediation clock gets shorter, organizations need asset visibility, tested backups, automated prioritization around KEV-listed flaws, and designs that let them cut off compromised zones without taking the whole service down. In plain English — faster patching only works if the environment was built for containment first. ### Bottom line? CI Fortify is CISA telling critical infrastructure to plan for cyber combat conditions, not ordinary outages. (cisa.gov) The rumored three-day remediation target turns that philosophy into a tempo requirement. The message is simple: assume breach, preserve the mission, and make sure your network can fail in pieces instead of all at once. (cisa.gov 1) (cisa.gov 2)