The language that government agencies use to describe threats matters. When CISA shifts from advising organizations to harden their perimeters to telling them to plan for operating without external connectivity during a geopolitical crisis, the language is telling you something about what the threat intelligence looks like.
CI Fortify, unveiled by CISA on May 6, 2026, is that kind of signal.
The initiative asks water utilities, transportation operators, power facilities, healthcare systems, and defense-critical infrastructure to develop and test plans for two specific scenarios: isolating from external networks and cloud services during an active threat, and recovering from cyber events that damage or destroy operational technology systems. CISA is conducting targeted assessments to evaluate how prepared specific organizations are against these objectives. The assessment priority is defense critical infrastructure β facilities supporting military operations.
To understand why this initiative represents a meaningful shift, you need to understand what CISA is implicitly saying about the threat environment it is responding to.
The Threat Picture Behind CI Fortify
CISA does not use the phrase βgeopolitical crisisβ accidentally. The specific threat scenario CI Fortify is designed for β coordinated attacks that sever critical infrastructure from internet, telecommunications, and third-party services β is not the threat profile of ransomware groups or opportunistic criminal actors. Ransomware operators want systems accessible so they can demand payment for decryption. They do not want to permanently disable the infrastructure that generates the revenue they are extorting.
The threat profile of an actor who wants to sever critical infrastructure from its dependencies is different. The scenario CISA is planning for involves an adversary with the capability, infrastructure, and intent to damage or destroy operational technology at scale β not to profit from disruption, but to cause it as a strategic objective.
The U.S. intelligence community has publicly attributed this level of capability to several nation-state actors. The Volt Typhoon campaign, disclosed in 2023 and confirmed to have persisted into 2025, involved Chinese state-sponsored actors pre-positioning in U.S. critical infrastructure β specifically in sectors including water, energy, and communications β in ways that suggested preparation for disruptive action rather than espionage. The access gained was not being used to steal data. It was being maintained as a capability to cause disruption at a moment of strategic choice.
CI Fortify is the operational response to that threat picture. CISA is not expecting an attack is imminent. It is telling operators that the preparations that would be needed to respond to such an attack need to be in place now β before the threat is imminent β because building resilience during a crisis is not possible.
What Has Changed About Critical Infrastructure Risk
Several factors have converged to make critical infrastructure more exposed than it was a decade ago.
Digital convergence of OT and IT. Over the past fifteen years, critical infrastructure operators have dramatically increased connectivity between operational technology β the systems that control physical processes β and business IT networks. Cloud-based monitoring, remote vendor access, internet-connected sensors, and centralized data management have all improved operational efficiency. They have also created connectivity paths that did not previously exist between control systems and external networks.
In the pre-convergence model, an attacker who compromised a water utilityβs business network had no path to the systems controlling treatment chemical dosing. In the converged model, that path may exist. CI Fortify is responding to this reality by asking operators to plan for when that convergence becomes a liability rather than an asset.
Third-party dependency. Modern infrastructure operations are deeply entangled with cloud providers, managed service providers, industrial automation vendors, and telecommunications carriers. A significant cyber event targeting any of those third parties could deprive infrastructure operators of capabilities they depend on for normal operations.
The 2021 Kaseya VSA attack, which propagated through a managed service provider platform, demonstrated how rapidly supply chain compromises can affect downstream customers. For critical infrastructure operators that depend on managed services for monitoring, patching, or remote support of OT systems, a targeted attack on those providers creates operational exposure.
Extended detection and response gaps. Most critical infrastructure operators lack the security operations capability to detect sophisticated nation-state intrusions in their OT environments. The Volt Typhoon campaign persisted for years across multiple critical infrastructure sectors before it was publicly attributed. If pre-positioned access exists in U.S. critical infrastructure that has not yet been detected, the ability to rapidly isolate and restore systems becomes more urgent.
What Isolation Actually Requires in Practice
The gap between planning for isolation and being able to execute it is substantial.
Most critical infrastructure operators cannot currently disconnect from external networks and sustain essential operations. The dependencies are too deep, the manual fallback procedures too poorly documented or untested, and the operator skill sets too focused on normal computerized operations to execute effectively in a degraded state.
Building genuine isolation capability requires:
Network segmentation architecture that actually works. Many organizations have network segmentation on paper. In practice, the paths between OT and IT networks have accumulated over years of operational decisions β temporary connections that became permanent, vendor access that was never revoked, monitoring systems that bridged segments. A real isolation plan requires identifying all of those paths and confirming that isolation procedures actually sever them.
Manual operating procedures that are current, tested, and understood. For infrastructure systems that have been operated digitally for decades, this is a significant documentation and training effort. What does a water treatment facility do when its SCADA system is unavailable? What are the manual procedures for controlling chemical dosing, pressure management, and distribution system operations? Who knows how to execute them? When were they last practiced?
Communication plans for degraded telecommunications. If a geopolitical cyber event targets telecommunications infrastructure simultaneously with operational technology, standard communication channels may not be available. What are the backup communication methods for coordination between facilities, with regulators, with first responders?
Parts and equipment inventory for OT components. Industrial control system hardware has long lead times and single-source suppliers. An attack that physically damages or destroys OT components cannot be recovered from quickly if replacement parts are not available. CISAβs Recovery framework asks operators to inventory critical components and maintain spares for the most essential systems.
The Policy Shift This Represents
For cybersecurity professionals and policymakers, CI Fortify represents an important shift in how U.S. cyber policy is being operationalized.
Previous CISA guidance focused primarily on hardening and detection: make systems harder to compromise, detect intrusions faster, patch vulnerabilities. That guidance remains valid. CI Fortify adds a layer that previous frameworks did not emphasize: assume that hardening and detection may fail, and build the operational capability to sustain essential functions when they do.
This is a realistic posture. Against a sophisticated nation-state adversary with pre-positioned access and strategic patience, a purely defensive posture β preventing every intrusion β is not achievable. Resilience β the ability to absorb a disruption and continue operating β is achievable with the right preparation.
The initiative also signals an escalation in the seriousness with which the federal government is treating the threat environment. CISA does not launch new assessment programs without resources and political backing. The assessment priority being placed on defense critical infrastructure specifically suggests that the intelligence picture for that sector has warranted elevated concern.
What This Means for Security Professionals
The CI Fortify initiative creates demand for a specific type of security expertise that does not currently exist in sufficient supply: professionals who understand operational technology environments deeply enough to build genuine resilience, not just compliance documentation.
The roles that benefit most from this initiative are covered in more depth in our companion article on CI Fortify career opportunities. The short version: OT/ICS security specialists, resilience engineers for industrial environments, ICS incident responders, and professionals with the ability to bridge IT security and operational technology are all positioned in a market where demand is growing, regulatory pressure is increasing, and the candidate pool has not kept pace.
The deeper point is that CI Fortify is CISA telling the security industry β and the professionals who work in it β that the threat environment has escalated to a point where existing security programs are insufficient. The organizations that take that message seriously will build more effective security programs. The professionals who take it seriously will build more durable careers.
The agencyβs language is careful and official. What it is describing is urgent.
