CISA Tells Critical Infrastructure to Plan for Weeks of Isolation During Geopolitical Cyber Conflict
The CI Fortify initiative, released in early May, instructs water, energy, and defense-sector operators to assume nation-state actors already have a foothold in their OT networks and to build for service delivery without internet or third-party vendors.
CISA released guidance in early May directing critical infrastructure operators to prepare their operational technology systems to run in isolation for what the agency's own documentation describes as "weeks to months" - a planning horizon that acknowledges, with unusual candor, that eradication of embedded adversaries is not a near-term certainty.
The initiative, named CI Fortify, frames the threat in terms of conflict rather than peacetime intrusion. According to the CISA press release reviewed for this story, the guidance is designed to "help critical infrastructure entities across all sectors prepare to operate through a crisis or conflict, continuing vital service delivery even as their systems are under attack." The agency named acting director Nick Andersen delivered the announcement via a call with reporters.
Two planning objectives anchor the guidance. The first is isolation: the deliberate severing of OT networks from business IT, vendors, managed service providers, and upstream internet dependencies before or during an attack. The second is recovery: documented backup procedures, manual fallback operations, and practiced system-replacement drills for when isolation itself fails. Both capabilities, CISA wrote on the CI Fortify webpage, are intended to "mitigate this threat within the next few years" - language that sets a multi-year remediation timeline, not a sprint.
The implicit threat model running through the guidance is the Volt Typhoon campaign, in which Chinese-linked actors pre-positioned on U.S. critical infrastructure for potential use during a kinetic conflict. According to reporting by CyberScoop, which reviewed the agency's guidance, CISA has reiterated that adversaries "have already embedded themselves inside critical systems and telecommunications networks." Andersen, in his own comments to reporters, framed CI Fortify as not being aimed at any single nation-state actor - a position worth interrogating, given that the initiative's CI Fortify webpage links directly to the 2024 Volt Typhoon advisory as its first external reference.
CISA's posture here is assessed, at moderate confidence, as a shift from the previous deterrence-forward framing toward a resilience model that treats persistent compromise as a planning assumption rather than a failure to be prevented. That is a meaningful doctrinal move. Whether the resource base exists to back it is a separate question.
The agency enters CI Fortify in a constrained operating environment. According to Federal News Network's coverage of the announcement, CISA emerged from what the outlet described as "the longest shutdown in government history" and has been shedding staff for the past year. Acting Director Andersen pointed to recently approved plans for 329 "mission-critical" hires as evidence of institutional recovery, but said that represented only "an initial tranche of additional hiring." The 10 regional offices, which are supposed to carry the bulk of the targeted assessments under CI Fortify, are prioritized in that hiring plan - but prioritized doesn't mean funded and staffed.
The initiative does not carry binding regulatory force. It is guidance, not a rule. The Cyber Incident Reporting for Critical Infrastructure Act's final implementation rule - which would attach mandatory timelines to incident disclosure for roughly 316,000 entities - was delayed by the Trump administration until May 2026 and as of publication has not been finalized, according to Federal News Network.
CISA is prioritizing what it calls "defense critical infrastructure" for its initial assessments: dams, radars, weapon systems, and satellite communications. Andersen declined to identify which organizations are already inside the pilot phase, saying only that assessments have begun. Healthcare appears in every version of the guidance as a named sector, but the operational complexity of isolating hospital systems - which depend on vendor-managed EHR and imaging infrastructure that is itself internet-dependent - is not addressed at the level of specificity that sector would need to act.
The structural tension in CI Fortify is visible in the planning assumption itself. Operators are told to assume threat actors already have some access to their OT networks. If that is the working assumption, the guidance's value is in buying time and limiting blast radius - not in preventing intrusion. That is a defensible posture, but it should be named plainly. CI Fortify is a continuity-of-operations framework built for a threat environment where prevention has already partially failed.
Sources cited:
- CISA press release: CI Fortify initiative announcement (https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure)
- CISA CI Fortify guidance webpage (https://www.cisa.gov/topics/industrial-control-systems/ci-fortify)
- CyberScoop: CISA wants critical infrastructure to operate 'weeks to months' in isolation (https://cyberscoop.com/cisa-ci-fortify-critical-infrastructure-isolation-recovery-guidance-during-conflict/)
- Federal News Network: CISA tells critical organizations to prepare for cyber outages (https://federalnewsnetwork.com/cybersecurity/2026/05/cisa-tells-critical-organizations-to-prepare-for-cyber-outages/)
- The Record: New CISA initiative aims for critical infrastructure to operate offline during cyberattacks (https://therecord.media/cisa-initiative-aims-for-critical-infrastructure-to-operate-during-cyberattacks)
- Nextgov/FCW: CISA unveils CI Fortify to help secure critical infrastructure during conflicts (https://www.nextgov.com/cybersecurity/2026/05/cisa-unveils-ci-fortify-help-secure-critical-infrastructure-during-conflicts/413333/)
This release was originally distributed via ETL Newswire. Visit CISA press release: CI Fortify initiative announcement for the full story, related releases, and contact information.
Visit CISA press release: CI Fortify initiative announcement →