CISA Launches “CI Fortify” Initiative to Enable Critical Infrastructure to Operate Offline During Cyberattacks
What Happened — The Cybersecurity and Infrastructure Security Agency (CISA) released a new guidance package, CI Fortify, urging operators of critical infrastructure to build isolation and recovery capabilities so they can continue delivering services when network, telecom, or internet connectivity is disrupted by a cyber‑attack. The program calls for proactive disconnection from third‑party dependencies, rapid restoration of compromised systems, and targeted assessments tailored to each sector.
Why It Matters for TPRM —
- Highlights the risk that third‑party network and cloud services can become single points of failure during an attack.
- Signals a shift toward “air‑gapped” continuity planning, requiring vendors to demonstrate robust offline capabilities.
- Provides a benchmark for evaluating the resilience of your supply‑chain partners against nation‑state and ransomware disruptions.
Who Is Affected — Energy & utilities, telecommunications, transportation & logistics, healthcare OT, financial market infrastructure, and any organization classified as critical infrastructure under U.S. policy.
Recommended Actions —
- Review contracts for clauses requiring offline or “manual‑mode” operation capabilities.
- Validate that vendors have documented isolation, segmentation, and rapid‑recovery procedures.
- Incorporate CI Fortify check‑lists into your third‑party risk assessments and business‑continuity plans.
Technical Notes — CI Fortify emphasizes network segmentation, air‑gap strategies, and the ability to restore OT systems without reliance on external telecom or cloud services. The guidance references the Volt Typhoon nation‑state campaign as a driver for the initiative, but CISA frames the effort as a generic resilience measure rather than a response to a specific actor. Source: The Record