Full Report
The agency will begin targeted assessments meant to help critical infrastructure entities operate while disconnecting OT networks from IT and third-party vendors. The post CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: CISA CI Fortify Initiative
## Overview
CI Fortify is a strategic initiative designed to ensure that United States critical infrastructure (CI) can maintain "essential service delivery" during periods of heightened conflict or active cyber compromise. The core focus is "operational resilience through isolation," requiring entities to prove they can operate industrial control systems and operational technology (OT) for extended periods (weeks to months) while completely disconnected from corporate IT networks, third-party vendors, and external telecommunications.
## Key Details
- **Issuing Authority:** Cybersecurity and Infrastructure Security Agency (CISA)
- **Effective Date:** May 2026 (Initial rollout/Pilot phase)
- **Jurisdiction:** United States Critical Infrastructure Sectors
- **Status:** In Effect (Pilot assessments currently active; specialized hiring underway)
## Requirements
### Mandatory Requirements (for participating/targeted entities)
1. **OT/IT Disconnection Capability:** Demonstrate the ability to physically or logically sever connections between Operational Technology (OT) and business IT networks without losing core functionality.
2. **Third-Party Decoupling:** Ability to operate without reliance on third-party vendor remote access, cloud services, or external service provider connections.
3. **Emergency Service Level Planning:** Define and document "acceptable service levels" for delivery during isolation.
4. **Manual Workarounds:** Maintain documented procedures and hardware for manual operations when computer-based control systems are unavailable or compromised.
### Recommended Practices
1. **Customer Coordination:** Establish pre-negotiated priority service agreements with "lifeline" customers (e.g., military bases, hospitals) for delivery during recovery periods.
2. **Offline Backups:** Maintain immutable, offline backups of system configurations and critical data.
3. **Isolation Drills:** Regularly test the ability to "go dark" from the public internet while maintaining machinery operations.
## Affected Organizations
- **Industries:** High-priority focus on Energy (Electricity), Water/Wastewater, Transportation, and Communications.
- **Organization Size:** Focus on entities supporting national security, defense, public health, and economic continuity.
- **Geographic Scope:** United States (Domestic critical infrastructure).
## Compliance Timeline
- **May 2026:** Launch of the CI Fortify initiative and commencement of pilot technical assessments.
- **Mid-Late 2026:** Ramping up of assessments as CISA hires additional specialized technical staff.
- **Ongoing:** Sector-by-sector assessments tailored to specific industry needs (e.g., water vs. energy).
## Implementation Guidance
### Assessment Phase
- **Connectivity Mapping:** Inventory all connections between OT, IT, and external vendors (Telecomm, SaaS, Remote Maintenance).
- **Dependency Analysis:** Identify which core processes fail immediately upon loss of internet or IT network access.
### Implementation Phase
- **Hardening OT:** Implement local control capabilities that do not require "phone home" authentication to vendor servers.
- **Protocol Development:** Create "Isolation Mode" SOPs (Standard Operating Procedures).
### Validation Phase
- **CISA Technical Assessments:** Targeted on-site or remote verification by CISA to test if the entity can sustain operations for "weeks to months" in isolation.
## Technical Requirements
- **Network Segmentation:** Strict "Air-gap" or high-side/low-side separation capabilities.
- **Local Authentication:** Removal of dependency on cloud-based Identity and Access Management (IAM) for OT systems.
- **Manual Overrides:** Physical controls for valves, switches, and breakers that bypass digital logic.
## Penalties & Enforcement
- **Fines:** Currently structured as a voluntary/collaborative assessment model; no direct fines mentioned in the initial Cybersecurity & Infrastructure Security Act framework for this specific program.
- **Other Consequences:** Potential loss of government contracts; increased insurance premiums; heightened regulatory scrutiny from sector-specific local/federal agencies (e.g., EPA for water, FERC for energy).
- **Enforcement:** Primarily through CISA’s "targeted technical assessments" and collaborative reporting.
## Related Standards
- **NIST SP 800-82:** Guide to Industrial Control Systems (ICS) Security (Alignment on OT protection).
- **ISA/IEC 62443:** International standards for the security of IACS (Industrial Automation and Control Systems).
- **CPGs (CISA Cybersecurity Performance Goals):** CI Fortify serves as an advanced implementation of CISA’s baseline CPGs.
## Resources
- **Official Documentation:** [cisa[.]gov/topics/industrial-control-systems/ci-fortify]
- **Guidance Documents:** CISA/NSA/Five Eyes guidance on securing AI and OT.
## Practical Recommendations
- **Audit Third-Party Access:** Immediately audit all "persistent" vendor connections to OT environments.
- **Test "Offline" Ability:** Conduct a "Tabletop Exercise" (TTX) specifically simulating a 30-day disconnection from the internet to identify "fail-deadly" dependencies.
- **Inventory Manual Assets:** Ensure staff are trained on manual equipment (valves, analog gauges) that may have been neglected due to automation.