The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday rolled out new CISA cybersecurity crisis planning guidance that tells critical infrastructure operators to prepare for sustained cyber outages, including scenarios where systems must operate while disconnected from core communications networks.
The guidance, released under the CI Fortify initiative, focuses on preparing water utilities, transportation systems, and defense-linked facilities for cyber attack preparedness during what officials describe as a potential geopolitical cyber crisis. The framework emphasizes maintaining essential services even when internet, telecom, or vendor systems are unavailable.
Acting CISA Director Nick Andersen said the agency has already begun early assessments under the program (Federal News Network report). “We’ve already started to kick off the first couple of assessments under a pilot phase,” Andersen said during a briefing on Tuesday, confirming that evaluations are already underway.
At the core of CI Fortify is a shift toward isolation strategy cybersecurity, where operators are expected to disconnect operational technology from external networks during high-risk events.
The guidance instructs organizations to assume that third-party systems may fail or be compromised during a cyber crisis scenario planning event. That includes telecom providers, cloud services, and managed service providers.
CISA says critical infrastructure should be able to sustain “essential operations” in a disconnected state rather than defaulting to full shutdown. The approach applies directly to industrial control systems cybersecurity environments where uptime and safety are tightly linked.
Operators are also urged to identify priority customers, including military-linked services, and define acceptable downtime thresholds in advance.
Recovery Planning Moves to Manual Operations
The second pillar of the framework focuses on system recovery planning cyber attack readiness, including detailed documentation of infrastructure, verified backups, and rehearsed transitions to manual operations.
CISA officials said recovery planning must also account for dependencies on external systems such as licensing servers and remote management tools. The agency stressed that organizations should be able to restore operations even if core systems remain partially degraded.
“The objective is continuity under constraint, not perfection,” the guidance states, emphasizing cyber resilience strategy over traditional restore-first models.
Targeted Assessments and Vendor Pressure Increase
CISA confirmed it will conduct CISA targeted assessments of selected operators to evaluate readiness for isolation and recovery operations. These reviews will prioritize defense critical infrastructure cybersecurity, including dams, radar systems, and satellite-linked networks.
The agency is also expanding pressure on ecosystem partners. Vendors, managed service providers, and integrators are now expected to support operational technology security (OT security) planning and help remove technical barriers that prevent isolation.
CISA is also pushing zero trust adoption OT systems, encouraging segmentation and strict access control even in legacy environments. For latest updates, check our Security section.
What’s Next
CISA plans to expand CI Fortify assessments across additional sectors throughout 2026, with regional offices playing a central role in evaluations. Officials say future updates will refine isolation and recovery benchmarks as operators begin implementing the framework at scale.
