CISA: Cybersecurity and Infrastructure Security Agency

The Cybersecurity and Infrastructure Security Agency (CISA) functions as the United States federal government's primary operational body for defending civilian federal networks and coordinating the protection of critical infrastructure across 16 designated sectors. Established by the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), the agency operates within the Department of Homeland Security and holds authority that spans both cyber and physical security domains. Its mandate extends beyond the federal perimeter to encompass state, local, tribal, territorial governments, and private sector owners of infrastructure that underpins national security, economic stability, and public health.

Definition and scope

CISA's statutory authority derives from the Cybersecurity and Infrastructure Security Agency Act of 2018, which reorganized and elevated the functions of the former National Protection and Programs Directorate (NPPD). The agency holds three distinct operational mandates: cybersecurity for federal civilian executive branch networks, infrastructure security for physical and cyber systems, and emergency communications coordination.

The scope of CISA's jurisdiction covers federal civilian agencies under the Federal Information Security Modernization Act (FISMA), which grants the agency authority to issue binding operational directives (BODs) compelling specific remediation actions on federal systems. CISA does not hold regulatory authority over private sector entities in the same manner as sector-specific regulators — this distinction separates it structurally from bodies such as the Federal Energy Regulatory Commission (FERC) or the Financial Industry Regulatory Authority (FINRA).

The 16 critical infrastructure sectors — defined by Presidential Policy Directive 21 (PPD-21) — include energy, water systems, healthcare, financial services, transportation, and communications, among others. Each sector operates under a designated Sector Risk Management Agency (SRMA), with CISA serving as the SRMA for 9 of the 16 sectors directly.

How it works

CISA's operational structure organizes around four primary functions:

1. Threat identification and intelligence sharing — The agency aggregates threat intelligence through the Automated Indicator Sharing (AIS) program and distributes machine-readable indicators of compromise (IOCs) to registered participants. As of the program's public documentation, AIS operates under the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Intelligence Information (TAXII) standards.

2. Incident response and technical assistance — CISA deploys cybersecurity advisors and hunt teams to assist organizations experiencing or recovering from significant cyber incidents. The agency coordinates with the FBI and NSA on major incidents affecting national security equities.

3. Binding Operational Directives and Emergency Directives — For federal civilian agencies, CISA issues BODs that carry mandatory compliance requirements. The Known Exploited Vulnerabilities (KEV) catalog, maintained under BOD 22-01, requires federal agencies to patch listed vulnerabilities within defined timeframes — typically 2 weeks for high-severity entries (CISA KEV Catalog).

4. Reporting and regulatory coordination under CIRCIA — The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) assigns CISA rulemaking authority to establish mandatory incident reporting timelines. Under CIRCIA's framework, covered entities in critical infrastructure sectors will be required to report significant cyber incidents within 72 hours and ransom payments within 24 hours. The final rule timeline and covered entity definitions are detailed in the CIRCIA overview.

The agency also administers the Cybersecurity Grants program for state and local governments, funded under the Infrastructure Investment and Jobs Act at $1 billion over 4 years (DHS Cybersecurity Grants Program).

Common scenarios

CISA's engagement with organizations spans a spectrum from routine technical assistance to major incident coordination:

Federal agency compliance — A federal civilian agency receiving a BOD must remediate flagged vulnerabilities or configuration gaps within the directive's specified window. CISA's Continuous Diagnostics and Mitigation (CDM) program provides federal agencies with tools and dashboards for ongoing asset visibility (CDM Program).

Critical infrastructure voluntary engagement — A regional water utility seeking to assess its operational technology environment can request a no-cost Cyber Performance Goals (CPG) assessment through CISA's advisors. The CPGs, published in October 2022, establish a baseline set of cybersecurity practices distinct from — but complementary to — the NIST Cybersecurity Framework.

Ransomware response — When a ransomware attack affects a hospital system or pipeline operator, CISA serves as the coordination hub, deploying advisors, sharing decryption resources through StopRansomware.gov, and facilitating law enforcement handoffs.

Election infrastructure — CISA designates election infrastructure as a subsector of the Government Facilities Sector. It provides security clearances to state election officials, conducts tabletop exercises, and maintains the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) in partnership with the Center for Internet Security. More detail on this domain appears in election security cybersecurity.

Decision boundaries

Understanding where CISA's authority begins and ends is operationally significant for compliance planners and procurement professionals:

CISA vs. sector regulators — CISA coordinates but does not replace sector-specific regulators. The Transportation Security Administration (TSA) holds authority over pipeline and rail cybersecurity directives. The Nuclear Regulatory Commission (NRC) governs nuclear sector cybersecurity standards. CISA's role in regulated sectors is typically advisory and coordinative, not primary enforcement. The sector-specific cybersecurity regulations page maps this landscape in detail.

Federal civilian vs. DoD — CISA's BOD authority extends to federal civilian executive branch agencies only. Department of Defense systems fall under the Defense Information Systems Agency (DISA) and DoD Instruction 8500 series frameworks. For DoD contractor requirements, the Cybersecurity Maturity Model Certification program applies.

Voluntary vs. mandatory — Prior to CIRCIA's implementing rules taking effect, most CISA engagement with the private sector is voluntary. CIRCIA changes this calculus for covered critical infrastructure entities, imposing mandatory reporting obligations with civil penalty authority for non-compliance.

CISA vs. NSA on federal systems — The National Security Agency (NSA) holds primary authority for national security systems (NSS) under Committee on National Security Systems (CNSS) Instruction 1253. CISA governs civilian agency systems under FISMA. The federal cybersecurity agencies page details jurisdictional boundaries across the full federal cybersecurity apparatus.

References

• CISA Official Website
• Cybersecurity and Infrastructure Security Agency Act of 2018, Public Law 115-278
• CISA Known Exploited Vulnerabilities Catalog (BOD 22-01)
• CISA Continuous Diagnostics and Mitigation Program
• CISA State and Local Cybersecurity Grant Program
• Presidential Policy Directive 21 (PPD-21), The White House
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
• NIST Cybersecurity Framework
• CISA Cyber Performance Goals
• Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq.