The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new national initiative aimed at helping critical infrastructure operators withstand and recover from major cyberattacks by preparing to operate in isolation from the internet and third-party dependencies.
The program, CI Fortify, is designed to ensure that organizations can continue delivering essential services even when their networks are degraded, disconnected, or under active cyberattack. “Resilience and reliability begin with planning and investing,” said acting CISA director Nick Andersen during a media briefing, emphasizing that operators must be ready to function even when cut off from external connectivity.
“CI Fortify gets the doctrine right,” said James Winebrenner, CEO of network security vendor Elisity. “What’s missing is the operator-side investment that would make this guidance executable.”
The initiative arrives as US officials warn that adversaries are already pre-positioned inside critical infrastructure networks, with the potential to disrupt electricity, water, and communications during geopolitical conflict.
What CISA is trying to solve
At its core, CI Fortify is about operational resilience under worst-case conditions. CISA is urging organizations to assume that connectivity, particularly to external providers, may not be available during a major incident and to plan accordingly.
That resilience means developing the ability to intentionally disconnect from third-party services, telecommunications, and even portions of their own IT environments, while continuing to operate critical systems. It also means being able to restore compromised systems rapidly while in that isolated state.
CISA officials stress that this is not about traditional air-gapping, but about controlled isolation combined with the ability to operate locally and manually when needed. The goal is to sever adversaries’ access while maintaining essential service delivery.
“When a cyberattack occurs, well-planned emergency capabilities help ensure the affected organization can still deliver critical services,” CISA’s Andersen said.
The agency said it will support the effort through targeted assessments, guidance, and exercises, with a pilot phase already underway and additional much-needed staffing planned to scale the program across sectors.
In practical terms, the initiative pushes organizations to answer difficult questions: How long can they operate without external connectivity? Which dependencies are critical? And what is the minimum viable level of service they must maintain during disruption?
A familiar playbook under a new name
While the framing of CI Fortify is new, the underlying concepts are not. Several experts say the initiative largely repackages long-standing practices around disaster recovery, business continuity, and incident response — areas where many organizations have historically underinvested.
“It looks to me like traditional business continuity planning, disaster recovery, and incident response,” said Richard Forno, associate director of the UMBC Cybersecurity Institute. “These are things organizations should have long since incorporated into their cybersecurity planning.”
That gap between theory and practice is precisely what CISA is trying to close. The agency’s message is that planning alone is insufficient: Operators must build and test capabilities that work under real-world stress.
Bill Moore, CEO of Xona Systems, a secure remote access vendor, framed the issue in architectural terms, arguing that resilience depends on how systems are designed to function during disruption.
“Resilience is not achieved by policy, visibility, or incident response plans alone,” Moore said. “Critical infrastructure operators need architectures that keep essential work moving when networks are segmented, degraded, isolated, or under active cyber stress.”
The visibility problem
One of the biggest challenges facing CI Fortify is that many organizations lack a clear understanding of their own dependencies, particularly in operational technology environments.
Modern critical infrastructure is deeply interconnected, relying on layers of vendors, managed service providers, integrators, and licensing systems. That complexity makes it difficult to map out what needs to be disconnected and what must remain operational during a crisis.
“You can’t plan to operate disconnected from third parties for weeks to months until you can actually list who those third parties are,” Elisity’s Winebrenner said. “Most operators can’t.”
This visibility gap has been highlighted in recent incidents, including one involving utility technology provider Itron and another involving Iranian threat actors compromising programmable logic controllers at critical infrastructure facilities, where attackers exploited poorly understood connections into OT environments. Without a comprehensive inventory of dependencies, isolation planning may become largely theoretical.
CISA’s emphasis on assessments and dependency mapping acknowledges this challenge, but closing the gap will require sustained effort—and likely new tooling—on the part of asset owners.
Cost, incentives, and reality
Even when organizations understand what needs to be done, the economics of resilience remain a major barrier.
Building systems that can operate without external dependencies often requires redundant infrastructure, backup systems, and alternative communication channels, all of which come at a cost.
“To do what they are proposing requires having a ton of resources on hot standby, which costs money,” UMBC’s Forno said. “Companies are, in many cases, not going to spend the money to ensure that they can unplug and seamlessly transition.”
That tension between security and cost is likely to shape how CI Fortify is adopted. Industry resistance to past regulatory efforts suggests that voluntary guidance alone may not drive widespread change.
Remote access as a control point
Another key theme is the role of remote access as both a necessity and a risk.
During a disruption, operators, engineers, and vendors still need to access critical systems. But traditional approaches — such as VPNs and broad network-level access — can undermine isolation efforts by expanding the attack surface.
Xona Systems’ Moore argues that remote access must be rethought as a tightly controlled, auditable function designed for crisis conditions.
“Critical infrastructure resilience requires remote access built for crisis conditions: no broad network exposure, no endpoint-to-OT trust assumption, precise session control, and clear evidence of who accessed what, when, and why,” he said.
What CISA is effectively asking operators to do now is confront these critical questions of resilience before a crisis forces the issue. Whether the initiative gains traction will depend less on the clarity of the guidance coming from the government than on whether operators can map their dependencies, justify the cost of resilience, and re-architect access without disrupting the systems they are trying to protect.