What CISA CI Fortify Actually Requires
The CISA CI Fortify initiative, published May 5, 2026, marks a shift in how the US government approaches critical infrastructure resilience. Previous frameworks focused on protecting operational technology (OT) networks from intrusion. CI Fortify addresses a different scenario: what happens when the internet and telecom infrastructure connecting those OT networks to the outside world is deliberately severed or degraded during a geopolitical confrontation.
The directive identifies two mandatory planning objectives:
Isolation planning: Organizations must develop and document the capability to “proactively disconnect from third-party and business networks” to protect operational technology during a crisis. This is pre-emptive segmentation — not reacting to a breach but deliberately severing connections before an adversary can use them.
Recovery planning: Organizations must document their minimum operational needs, acceptable downtime thresholds, and dependencies on external services; back up critical configuration files; and rehearse “the replacement of systems or the transition to manual” operations on a regular schedule.
The scope is broad: water utilities, transportation operators, defense-critical infrastructure (dams, radars, weapon systems, satellite communications), industrial automation vendors, managed service providers, and security vendors are all in scope. CISA received approval for 329 mission-critical hires to support assessments and has already begun pilot-phase evaluations with select organizations.
The Geopolitical Context Driving the Mandate
CI Fortify arrives during a period when internet and telecom severance has moved from theoretical to documented. Submarine cable disruptions, satellite jamming, and deliberate BGP route manipulation are now established tools in geopolitical confrontations. Ukraine’s experience since 2022 demonstrated that military-grade cyber operations can simultaneously target power grids, communications infrastructure, and financial systems — a template that security planners in other regions are studying.
The “isolation” requirement in CI Fortify reflects a specific lesson: organizations that rely on third-party IT networks, cloud services, or vendor remote access to operate their OT systems are exposed when those connections become unavailable or adversarially controlled. The attack vector is not necessarily a direct cyber intrusion — it is the collapse of the connectivity fabric that operational systems depend on. According to Industrial Cyber’s Q1 2026 ransomware analysis, manufacturing is the most targeted sector globally, with 2,128 ransomware victims tracked in Q1 2026 alone — and threat actors are “increasingly abandoning encryption in favor of data theft and extortion-only operations” that require sustained network access rather than a single burst attack.
For critical infrastructure operators, sustained attacker dwell time on a connected OT network is the threat CI Fortify aims to prevent. Ransomware group Qilin alone claimed 361 victims in Q1 2026, down from a Q4 2025 peak of 484 — a baseline that security planners now treat as the normal operating environment. The CI Fortify response: eliminate the connectivity exposure window before an incident begins rather than attempting to contain it after dwell time has accumulated.
Advertisement
What This Means for Critical Infrastructure Operators
CI Fortify’s requirements translate to concrete planning and architecture work that most OT-dependent organizations have not previously formalized. The following framework reflects what the directive’s two pillars actually require in practice.
1. Complete an Isolation Capability Inventory Before Assessment Teams Arrive
CISA plans “targeted assessments” to evaluate organizational preparedness. Organizations that have not mapped their third-party network dependencies before an assessment will be in a reactive posture. The inventory should document every external connectivity path into OT networks: vendor remote-access sessions, cloud-connected historian systems, business IT networks that share firewall rules with OT, and managed security service provider (MSSP) connections. For each dependency, document the operational impact of severing it and the time required to do so safely. This is not an academic exercise — organizations that cannot demonstrate they can isolate within a defined window will likely face remediation requirements.
2. Build Isolation Runbooks That Operations Teams Can Execute Without IT Support
The isolation scenario in CI Fortify assumes that IT teams may themselves be unavailable or their tools inaccessible during a geopolitical crisis. Isolation runbooks must be written for execution by operational staff — control room operators, field technicians — without requiring VPN connectivity, cloud tools, or IT-department involvement. This means physical runbooks, not just digital procedures; pre-staged network switches and firewall rule changes that can be activated with a single command; and trained personnel who have actually practiced the procedure. CISA’s 329 approved mission-critical hires include assessment staff who will evaluate whether these runbooks exist and have been rehearsed.
3. Establish Manual Operations Capability With Defined Downtime Thresholds
The recovery pillar of CI Fortify requires organizations to articulate how long they can operate without external connectivity and what operations they can sustain manually. For water utilities, this means documenting manual pump control procedures and chemical dosing calculations that do not depend on SCADA historian data. For energy grid operators, it means establishing islanding capabilities and manual switching procedures. For transportation, it means fallback communications and dispatch procedures that do not depend on cloud-connected systems. These capabilities need to be documented as formal plans, not institutional memory — staff turnover will otherwise eliminate the organizational knowledge that the plan depends on.
4. Instrument Your Supply Chain for Rapid Disconnection
CI Fortify’s in-scope list includes industrial automation vendors, managed service providers, and security vendors — not just the end operators. This reflects the supply chain attack pattern documented repeatedly in OT environments: attackers gain access through a vendor’s remote session rather than through a direct intrusion. Critical infrastructure operators should audit every vendor with standing remote access to OT systems, replace persistent access credentials with time-bounded sessions, and establish contractual requirements for vendors to maintain their own isolation capabilities. Vendors who cannot demonstrate CI Fortify-compatible practices should be treated as elevated-risk suppliers.
The Broader Resilience Shift
CI Fortify represents a maturation in how regulators think about critical infrastructure security. The previous decade of OT security focused heavily on preventing intrusions — network segmentation, patching, vulnerability management. CI Fortify accepts that some connectivity will be lost or compromised and asks operators to plan for operating through that reality rather than assuming it will not happen.
This is the “resilience” shift that has been discussed in critical infrastructure security circles since the May 2021 Colonial Pipeline attack — the single most consequential critical infrastructure cyber incident in US history — which demonstrated that an IT-layer ransomware event could force voluntary OT shutdown due to billing system unavailability rather than any direct OT compromise. According to Cognyte’s 2026 ransomware analysis, 7,809 confirmed ransomware incidents were disclosed globally in 2025, a 27.3% year-over-year increase, with critical infrastructure (manufacturing, energy, healthcare, transportation) accounting for 33.6% of all attacks. Colonial did not lose control of its pipeline — it chose to shut down because it could not bill for deliveries. CI Fortify’s manual operations requirement is designed to prevent that class of business-continuity failure from triggering a physical infrastructure shutdown in the next crisis.
For organizations outside the United States that operate critical infrastructure, CI Fortify’s framework is worth studying even where it is not legally binding. The isolation and recovery planning disciplines it mandates are applicable regardless of jurisdiction — the geopolitical risk scenarios that motivated the directive are global, not American.
Frequently Asked Questions
Does CISA CI Fortify apply to organizations outside the United States?
CI Fortify is a US regulatory initiative and is legally binding only for US-regulated critical infrastructure operators. However, the isolation and recovery planning disciplines it mandates are applicable globally — the geopolitical risk scenarios that motivated the directive (submarine cable disruption, satellite jamming, BGP manipulation) are not uniquely American threats. International critical infrastructure operators, including those in the energy, water, and transport sectors, can adopt the framework voluntarily as a resilience best practice even where it carries no legal obligation.
What is the difference between the “isolation” and “recovery” pillars of CI Fortify?
Isolation planning focuses on proactively severing connections to third-party and business IT networks before or during a geopolitical crisis — the goal is to prevent adversaries from exploiting those connections to reach operational technology systems. Recovery planning focuses on what happens after isolation: organizations must document how long they can operate without external connectivity, which operations they can sustain manually, and what the step-by-step procedure is for restoring systems after the crisis passes. Both pillars are mandatory under CI Fortify and are evaluated separately during CISA’s targeted assessments.
What sectors are included in CISA CI Fortify’s scope?
CI Fortify’s scope is broad and includes water utilities, transportation operators, defense-critical infrastructure (dams, radars, weapon systems, satellite communications), industrial automation vendors, managed service providers, and security vendors. The inclusion of vendors and MSPs — not just end-operators — reflects the documented attack pattern of adversaries gaining OT access through vendor remote sessions rather than direct intrusions. CISA’s 329 approved mission-critical hires are focused on conducting targeted assessments across this full scope.
—
Sources & Further Reading
- CISA Tells Critical Organizations to Prepare for Cyber Outages — Federal News Network
- Ransomware Reaches Elevated New Normal as Attack Volumes Hold Steady Into 2026 — Industrial Cyber
- Cybersecurity Threats 2026 — Jazz Cyber Shield Blog
- Cybersecurity Roundup May 13 2026: CISA, Anthropic, Microsoft Teams Canvas — Hipther
- Ransomware in 2025: 7,809 Incidents, 27.3% Year-Over-Year Increase — Cognyte
