CISA Resources and Reference

The Cybersecurity and Infrastructure Security Agency (CISA) is the primary federal authority for protecting civilian government networks and coordinating cybersecurity resilience across critical infrastructure sectors in the United States. Established under Pub. L. 115-278 in 2018, CISA publishes binding guidance for federal agencies and voluntary frameworks for private-sector organizations across all 16 critical infrastructure sectors. This page describes CISA's mandate, structural programs, engagement scenarios, and the jurisdictional limits that distinguish its role from other federal cybersecurity bodies — serving as a reference for compliance professionals, security practitioners, and researchers navigating the federal resource landscape.

Definition and scope

CISA was created by the Cybersecurity and Infrastructure Security Agency Act of 2018 (Pub. L. 115-278), which reorganized the Department of Homeland Security's former National Protection and Programs Directorate (NPPD) into a standalone agency with an elevated operational mandate. The agency's jurisdiction covers two overlapping domains: defense of federal civilian Executive Branch networks — broadly the .gov ecosystem — and voluntary coordination of cybersecurity resilience across sectors defined under Presidential Policy Directive 21 (PPD-21), which identifies 16 critical infrastructure sectors including energy, healthcare, financial services, water systems, and communications.

CISA's authority under federal civilian networks is mandatory in nature. Agencies subject to FISMA (44 U.S.C. § 3551 et seq.) are required to follow CISA's Binding Operational Directives (BODs) and Emergency Directives (EDs), which carry the force of federal administrative orders. Private-sector engagement, by contrast, operates on a voluntary coordination model — CISA provides tools, alerts, and assessments but does not hold enforcement authority over non-federal entities except where sector-specific statutes (such as chemical facility regulations under 6 U.S.C. § 621) grant additional powers.

The Digital Security Listings resource provides organized access to service providers operating across the sectors CISA coordinates, useful for organizations mapping their vendor relationships to CISA's sector classification framework.

How it works

CISA operates through four principal program structures, each with distinct delivery mechanisms and audiences:

  1. Binding Operational Directives (BODs): Compulsory directives issued to all federal civilian Executive Branch agencies. BODs address specific, identified vulnerabilities or systemic security gaps. BOD 22-01, for example, established a Known Exploited Vulnerabilities (KEV) catalog requiring federal agencies to remediate listed vulnerabilities within defined deadlines — initially covering 290 vulnerabilities at launch.

  2. Cybersecurity Advisories and Alerts: CISA publishes joint advisories in coordination with the FBI, NSA, and international partner agencies such as the UK's National Cyber Security Centre (NCSC). These advisories identify threat actor tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK framework and are publicly available at cisa.gov/news-events/cybersecurity-advisories.

  3. Voluntary Services and Assessments: CISA offers no-cost services to critical infrastructure owners and operators, including the Cyber Hygiene Vulnerability Scanning service, the Cybersecurity Performance Goals (CPGs), and the Ransomware Vulnerability Warning Pilot (RVWP). These programs are delivered through CISA's regional structure, which maintains field personnel across all 10 FEMA regions.

  4. Information Sharing Programs: The Automated Indicator Sharing (AIS) initiative enables bi-directional exchange of machine-readable threat indicators between CISA and participating private-sector entities under the protections established by the Cybersecurity Information Sharing Act (CISA Act) of 2015. As of its reporting to Congress, AIS had enrolled hundreds of private-sector participants exchanging millions of indicators annually.

CISA also administers the National Cybersecurity Alliance partnership model and co-leads the Joint Cyber Defense Collaborative (JCDC), which coordinates planning and operations with major cloud providers, critical infrastructure operators, and sector-specific agencies.

Common scenarios

CISA resources become relevant across distinct organizational contexts. The following represent the most frequently encountered engagement patterns:

Federal agency compliance: Agencies receiving a BOD or Emergency Directive must remediate identified vulnerabilities or implement specified controls within mandatory timeframes. BOD 23-02, for instance, required federal agencies to remove or isolate network management interfaces exposed to the public internet within 14 days of identification.

Critical infrastructure risk assessments: Private owners of energy, water, or healthcare infrastructure may request a no-cost Cybersecurity Performance Evaluation (CPE) from CISA's regional teams. These assessments map organizational controls against CISA's CPGs, which are aligned with the NIST Cybersecurity Framework (CSF) but condensed into a baseline of prioritized practices.

Incident response and reporting: Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), covered entities will be required to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours once final rules are promulgated. CISA's rulemaking process for CIRCIA was ongoing as of the statute's passage, with proposed rules subject to public comment before enforcement begins.

Vulnerability disclosure coordination: CISA coordinates multi-party vulnerability disclosure for vulnerabilities affecting widely deployed federal and critical infrastructure systems, working with researchers and vendors through its coordinated vulnerability disclosure policy framework.

The Digital Security Authority's directory purpose and scope page explains how organizations can locate specialized service providers aligned to CISA's sector classifications and guidance categories.

Decision boundaries

Understanding where CISA's authority begins and ends is operationally essential. Three primary distinctions define CISA's boundaries relative to other federal bodies:

CISA vs. NSA/CYBERCOM: The National Security Agency (NSA) and U.S. Cyber Command hold jurisdiction over national security systems (NSS), classified networks, and offensive cyber operations. CISA's mandate is explicitly limited to civilian federal systems and critical infrastructure coordination. The National Security Systems Policy (CNSSP-22) governs NSS separately from the FISMA/CISA framework. Organizations operating NSS or defense contractor systems are subject to DFARS 252.204-7012 and NSA guidance, not CISA BODs.

CISA vs. FTC/HHS enforcement: CISA does not hold enforcement authority over private-sector entities for most cybersecurity failures. The Federal Trade Commission enforces the Safeguards Rule (16 CFR Part 314) for financial institutions, and the Department of Health and Human Services enforces the HIPAA Security Rule (45 CFR Part 164) for covered entities and business associates. CIRCIA will add a CISA reporting obligation for covered critical infrastructure entities, but penalty authority for underlying security failures remains with sector regulators.

Voluntary vs. mandatory engagement: The distinction between CISA's mandatory directives (applicable to federal civilian agencies) and its voluntary resources (applicable to private-sector entities) is structural, not advisory. A private hospital that declines CISA's Cyber Hygiene scanning service faces no CISA-imposed penalty — though it may face consequences under HHS enforcement if its security posture is found deficient in a breach investigation.

For organizations evaluating which federal resources apply to their specific sector, the how to use this digital security resource page outlines how to navigate sector-specific guidance channels alongside CISA's cross-sector materials.

References

📜 8 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...