Published by Emerging Technologies Laboratory · via ETL Newswire
Security· 

CISA Tells Critical Infrastructure Operators to Plan for Weeks of Isolation During Geopolitical Conflict

The agency's new CI Fortify initiative asks water utilities, energy operators, and defense-linked facilities to assume adversaries are already inside their networks and to plan for sustained disconnection from the internet and third-party vendors.

By Renée Kovac, Correspondent · Security Desk

CISA launched a new operational continuity initiative on May 5, 2026, built around a premise it's been reluctant to state this plainly before: in a geopolitical conflict, the networks supporting U.S. critical infrastructure will probably be compromised before anyone sounds an alarm.

The initiative, called CI Fortify, centers on two planning objectives: isolation and recovery. Per guidance published on the CISA website and reviewed for this piece, isolation means proactively disconnecting operational technology systems from third-party providers, telecommunications networks, and business systems before an attack forces the issue. Recovery means documenting systems, backing up critical files, and drilling the replacement of components or the transition to manual operations if isolation fails.

The planning horizon is not measured in hours. According to the CISA CI Fortify webpage, the agency wants operators to update business continuity plans to allow for safe operations "for weeks to months" while isolated from IT networks and outside vendors. That's a significant ask for sectors whose operational technology environments weren't designed to run air-gapped.

Acting CISA Director Nick Andersen was explicit about the threat model driving the guidance. "In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services," Andersen said in a statement released alongside the initiative. The implicit referent, spelled out in reporting by Cybersecurity Dive, is China's Volt Typhoon campaign, which U.S. officials assess was designed to pre-position Chinese actors inside Western critical infrastructure ahead of any conflict over Taiwan.

CISA is prioritizing what it calls "defense critical infrastructure," a category covering dams, radars, weapon systems, and satellite communications, according to Federal News Network's account of a reporter call with Andersen. But CI Fortify is addressed to all 16 critical infrastructure sectors, including water, energy, and transportation.

The guidance instructs operators to plan as though third-party connections, including telecommunications, internet access, vendor support, and upstream dependencies, will be unreliable during a conflict, and to assume that threat actors will have some degree of access to operational technology networks. That's not a hypothetical framing. CISA has reiterated, as SecurityWeek noted in its coverage of the launch, that adversaries have already embedded themselves inside critical systems and are positioned to move from espionage to impact on short notice.

CI Fortify is not a binding regulation. Legal analysis by Crowell and Moring, reviewed for this piece, flags that the initiative is voluntary today but "establishes a federal baseline that will be difficult to ignore post-incident" and raises expectations for boards and legal teams in future regulatory examinations, insurance disputes, or litigation. That's the real lever: the guidance creates a paper trail against which response failures will be measured.

CISA said it will conduct targeted assessments of how prepared specific organizations are to meet the initiative's objectives. Andersen told reporters the agency had already begun a pilot phase with an undisclosed set of organizations and expects the work to ramp up as CISA hires additional staff, per CyberScoop's reporting on the launch call.

The context here is worth stating clearly. CISA emerged from the longest government shutdown in U.S. history earlier this year and has shed staff for the past twelve months, according to Federal News Network. The agency is simultaneously being asked to stand up new voluntary assessments across all critical infrastructure sectors at a moment when its own institutional capacity is constrained. Whether CI Fortify produces measurable changes in operator posture, or remains a well-documented set of aspirations, will depend heavily on how quickly the agency can rebuild the workforce to execute it.

Sources cited:
- CISA CI Fortify official webpage (https://www.cisa.gov/topics/industrial-control-systems/ci-fortify)
- CISA press release (https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure)
- Federal News Network (https://federalnewsnetwork.com/cybersecurity/2026/05/cisa-tells-critical-organizations-to-prepare-for-cyber-outages/)
- CyberScoop (https://cyberscoop.com/cisa-ci-fortify-critical-infrastructure-isolation-recovery-guidance-during-conflict/)
- Cybersecurity Dive (https://www.cybersecuritydive.com/news/cisa-ci-fortify-isolation-recovery-guidance/819317/)
- SecurityWeek (https://www.securityweek.com/cisa-critical-infrastructure-must-master-isolation-recovery/amp/)
- Crowell and Moring client alert (https://www.crowell.com/en/insights/client-alerts/cisas-ci-fortify-initiative-signals-new-expectations-for-critical-infrastructure-resilience-what-operators-and-vendors-need-to-know)
- Nextgov/FCW (https://www.nextgov.com/cybersecurity/2026/05/cisa-unveils-ci-fortify-help-secure-critical-infrastructure-during-conflicts/413333/)

Reporting by Renée Kovac, Correspondent, for the Security desk · ETL Newswire staff
Read more at the source

This release was originally distributed via ETL Newswire. Visit CISA CI Fortify official webpage for the full story, related releases, and contact information.

Visit CISA CI Fortify official webpage →