CISA: Cybersecurity and Infrastructure Security Agency
The Cybersecurity and Infrastructure Security Agency (CISA) is the primary federal authority for protecting civilian government networks and coordinating national cybersecurity resilience across both public and private sectors. Established by the Cybersecurity and Infrastructure Security Agency Act of 2018 (Pub. L. 115-278), the agency operates within the Department of Homeland Security and holds a mandate that spans threat intelligence, incident response coordination, vulnerability disclosure, and infrastructure risk management. Understanding where CISA's authority begins and ends is essential for organizations navigating federal cybersecurity obligations, voluntary assistance programs, and the broader security providers landscape of credentialed service providers.
Definition and scope
CISA's foundational authority derives from Pub. L. 115-278, which reorganized the former National Protection and Programs Directorate (NPPD) within DHS into a standalone agency with an elevated operational mandate. The agency holds jurisdiction over two overlapping domains: defense of federal civilian Executive Branch (FCEB) networks — the .gov ecosystem — and voluntary coordination of cybersecurity resilience across the 16 critical infrastructure sectors defined under Presidential Policy Directive 21 (PPD-21). Those 16 sectors include energy, healthcare, financial services, water systems, transportation, and communications, among others.
The agency's functional scope spans five primary program areas:
- Cybersecurity — Threat intelligence sharing, vulnerability coordination, and the Shields Up advisory program
- Infrastructure Security — Physical security risk assessments for facilities in sectors like chemical and nuclear
- Emergency Communications — Interoperability support for public safety communications networks
- Integrated Operations — Real-time situational awareness and incident coordination through the National Cybersecurity and Communications Integration Center (NCCIC)
- Stakeholder Engagement — Outreach, exercises, and training across government and private sector entities
CISA does not hold criminal investigative authority. That jurisdiction rests with the FBI and, for certain financial crimes, with the Secret Service. For national security systems — networks classified or operated by the Department of Defense and intelligence community — primary authority lies with the National Security Agency (NSA) under CNSSI 4009, not with CISA.
How it works
CISA operates through a blend of statutory directives, voluntary partnership frameworks, and interagency coordination mechanisms. For federal civilian agencies, the agency's authority is compulsory: Binding Operational Directives (BODs) and Emergency Directives (EDs) issued by CISA carry mandatory compliance weight under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3553. BOD 22-01, for instance, established the Known Exploited Vulnerabilities (KEV) catalog and required FCEB agencies to remediate verified vulnerabilities within defined timeframes.
For private sector and state/local entities, CISA's engagement model is non-compulsory. Organizations participate through:
- Automated Indicator Sharing (AIS) — Machine-speed exchange of threat indicators via the STIX/TAXII protocol standard
- Cybersecurity Performance Goals (CPGs) — A baseline set of practices published in 2022 that translate NIST SP 800-53 controls into sector-agnostic priority actions
- Vulnerability Disclosure Policy (VDP) Platform — A coordinated disclosure framework operated by CISA that allows the public to report vulnerabilities in federal systems
- Cybersecurity Advisories — Joint advisories co-authored with NSA, FBI, and international partners such as NCSC (UK) and ACSC (Australia)
The security provider network purpose and scope for credentialed cybersecurity service providers intersects with CISA's Approved Products List and services catalog, both of which inform procurement decisions within federal civilian agencies.
Common scenarios
CISA engagement occurs across a predictable set of operational scenarios that differ significantly by sector and organization type.
Federal civilian agency — compliance-driven: An FCEB agency must comply with BOD 23-01, which requires asset discovery and vulnerability enumeration on an ongoing basis. The agency submits inventory data to CISA through the Continuous Diagnostics and Mitigation (CDM) program, a $6.9 billion initiative (DHS budget justification, FY2023) designed to provide real-time visibility into federal network posture.
Critical infrastructure operator — voluntary coordination: An electric utility operator under sector-specific oversight from the North American Electric Reliability Corporation (NERC) may engage CISA's Infrastructure Security team for a Cyber Resilience Review (CRR), a no-cost assessment based on the CERT Resilience Management Model. Participation is voluntary and findings are not shared with regulatory bodies unless the organization consents.
State and local government — grant-funded programs: Under the State and Local Cybersecurity Grant Program (SLCGP), authorized by the Infrastructure Investment and Jobs Act (Pub. L. 117-58), CISA administers $1 billion allocated over four fiscal years for eligible state, local, tribal, and territorial (SLTT) governments. Recipients must align spending with a CISA-approved cybersecurity plan.
Private sector — incident notification: Following a significant cyber incident, a private entity may voluntarily report to CISA's 24/7 operations center. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enacted as part of Pub. L. 117-103, directs CISA to establish mandatory incident reporting rules for covered entities in critical infrastructure — with proposed regulations expected to define reporting timelines of 72 hours for significant incidents and 24 hours for ransomware payments.
Decision boundaries
Distinguishing CISA's role from other federal cybersecurity bodies prevents misdirected reporting and misaligned compliance efforts. The primary distinctions are structural:
| Authority | Primary Domain | Mandatory/Voluntary | Legal Basis |
|---|---|---|---|
| CISA | Federal civilian networks; critical infrastructure coordination | Mandatory for FCEB; voluntary for private sector | Pub. L. 115-278; FISMA |
| NSA / CNSS | National security systems; signals intelligence | Mandatory for NSS operators | 50 U.S.C. § 3001; CNSSI 4009 |
| FBI (Cyber Division) | Criminal investigation; threat actor attribution | Law enforcement | 28 U.S.C. § 533 |
| NIST | Standards and frameworks development | Voluntary (except where adopted by mandate) | 15 U.S.C. § 272 |
| OFAC / Treasury | Sanctions compliance related to cyber actors | Mandatory | 50 U.S.C. § 1701 (IEEPA) |
A private-sector healthcare organization facing a ransomware event operates outside CISA's mandatory jurisdiction until CIRCIA rulemaking is finalized, but may engage CISA voluntarily for technical assistance. That same organization faces mandatory breach notification obligations under HHS Office for Civil Rights (OCR) pursuant to the HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400–414 — a distinct regulatory track that CISA does not administer.
For organizations evaluating whether CISA-aligned services or credentialed providers meet their specific compliance framework requirements, the how to use this security resource reference covers the classification structure of verified provider categories in this network.
References
- Cybersecurity and Infrastructure Security Agency Act of 2018 (Pub. L. 115-278)
- Presidential Policy Directive 21 (PPD-21)
- CNSSI 4009
- Binding Operational Directives (BODs)
- CIS Critical Security Controls
- CISA Cybersecurity Alerts
- NIST SP 800-53 — Security and Privacy Controls
- Cybersecurity and Infrastructure Security Agency