CISA: Cybersecurity and Infrastructure Security Agency

The Cybersecurity and Infrastructure Security Agency (CISA) is the United States federal agency responsible for protecting the nation's critical infrastructure from physical and cyber threats. Operating as a component of the Department of Homeland Security, CISA coordinates defense across 16 federally designated critical infrastructure sectors, ranging from energy and water systems to financial services and healthcare. This page covers CISA's statutory definition, operational structure, threat drivers, classification boundaries, contested tradeoffs, common misconceptions, and a reference matrix of major program areas.

Definition and Scope

CISA was established on November 16, 2018, when President Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278) into law. The legislation elevated and renamed the former National Protection and Programs Directorate (NPPD), a DHS sub-component that had existed since 2007, into a standalone agency with a dedicated director reporting to the Secretary of Homeland Security.

The agency's statutory scope encompasses three intertwined mission areas: cybersecurity defense for federal civilian executive branch (FCEB) networks, physical security and resilience of critical infrastructure, and emergency communications interoperability. CISA does not have law enforcement authority — that distinction separates it from agencies such as the FBI Cyber Division or the Secret Service's cyber units. Its role is coordination, technical assistance, and information sharing, not arrest or prosecution.

The 16 critical infrastructure sectors designated under Presidential Policy Directive 21 (PPD-21) form the operational universe CISA protects. Each sector has at least one Sector Risk Management Agency (SRMA); CISA serves as the SRMA for 9 of those 16 sectors, including chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors.

Readers seeking broader DHS context can review the full DHS component agencies reference, or the agency's dedicated cybersecurity mission overview.

Core Mechanics or Structure

CISA is organized into six primary divisions:

  1. Cybersecurity Division — Operates the Einstein intrusion detection system deployed across FCEB networks, runs the National Cybersecurity and Communications Integration Center (NCCIC), issues binding operational directives (BODs) and emergency directives (EDs) to federal agencies, and maintains the Known Exploited Vulnerabilities (KEV) catalog.

  2. Infrastructure Security Division — Conducts physical security assessments, manages the Chemical Facility Anti-Terrorism Standards (CFATS) program (now under the CFATS authorization framework), and coordinates with state and local partners on site hardening.

  3. Emergency Communications Division — Oversees the National Emergency Communications Plan and the First Responder Network Authority (FirstNet) coordination layer.

  4. Integrated Operations Division — Fuses threat intelligence from the Intelligence Community, FBI, and sector partners into actionable products distributed through the Automated Indicator Sharing (AIS) program.

  5. Stakeholder Engagement Division — Manages relationships with 16 sector coordinating councils and government coordinating councils, the primary public-private partnership structure for each infrastructure sector.

  6. Shared Services Division — Handles administrative, budget, and workforce functions supporting all operational arms.

The CISA Director holds a Senate-confirmed position. The agency operates 10 regional offices mirroring FEMA's regional structure, enabling direct engagement with state and local governments as part of DHS's state and local partnerships framework.

A critical operational mechanism is the Binding Operational Directive. Under 44 U.S.C. § 3553, CISA can issue BODs that legally compel FCEB agencies to take specific remediation steps within defined timeframes. BOD 22-01, issued in November 2021, established the KEV catalog and mandated remediation deadlines for vulnerabilities actively exploited in the wild — a directive affecting hundreds of federal civilian agencies.

Causal Relationships or Drivers

CISA's formation and growing authority trace directly to escalating threat trends that exposed gaps in the pre-2018 coordination model.

The 2015 breach of Office of Personnel Management (OPM) systems, attributed to Chinese state-affiliated actors, compromised the personnel records of approximately 21.5 million individuals (OPM Congressional Testimony, 2015). That incident demonstrated that the NPPD lacked the legal authority and organizational standing to compel federal agencies to adopt defensive measures or share breach data in real time.

Ransomware's expansion into critical infrastructure created a second driver. Attacks on Colonial Pipeline in May 2021 caused a 6-day fuel supply disruption affecting the U.S. East Coast, and the JBS Foods attack weeks later disrupted approximately 20% of U.S. beef processing capacity — events that accelerated CISA's legislative mandates under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

CIRCIA, signed March 15, 2022, mandates that covered critical infrastructure entities report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. Rulemaking to implement CIRCIA's reporting requirements remains ongoing as of the statutory timeline provided by Congress.

Nation-state threat actors — primarily China, Russia, Iran, and North Korea, as identified in the annual DHS Threat Assessment — provide the persistent adversarial context that shapes CISA's priority-setting across both cyber and physical mission areas.

Classification Boundaries

CISA's authority has specific edges that define what it is and is not empowered to do:

Within CISA's authority:
- Issuing BODs and Emergency Directives to FCEB agencies
- Operating Einstein and Continuous Diagnostics and Mitigation (CDM) programs on federal networks
- Publishing advisories, alerts, and the KEV catalog
- Conducting voluntary cybersecurity assessments for state, local, tribal, and territorial (SLTT) governments and private sector entities
- Administering the CFATS regulatory program for high-risk chemical facilities

Outside CISA's direct authority:
- Defense Department networks (DOD retains independent authority under USCYBERCOM and NSA/DIRNSA)
- Intelligence Community networks (governed by IC-ITE under DNI)
- Law enforcement cyber operations (FBI, Secret Service)
- Nuclear facilities security regulation (NRC holds independent authority)
- Offensive cyber operations (explicitly outside CISA's mandate)

The dhsauthority.com reference framework positions CISA within the broader DHS organizational structure, distinguishing its coordination role from the enforcement roles of other DHS components. This boundary distinction also prevents CISA from compelling private sector entities to follow its directives — outside CFATS-regulated facilities, engagement with the private sector remains voluntary unless CIRCIA reporting mandates apply.

Tradeoffs and Tensions

Voluntary vs. mandatory framework: CISA's effectiveness with private sector entities depends heavily on voluntary information sharing. The Traffic Light Protocol (TLP) and the Protected Critical Infrastructure Information (PCII) program provide confidentiality assurances to encourage disclosure, but the absence of mandatory reporting for most private entities before CIRCIA left significant visibility gaps. CIRCIA resolves this partially, though penalty structures for non-compliance remain subject to the rulemaking process.

Resource concentration vs. breadth: With a workforce of roughly 3,000 employees (as reported in appropriations documents before 2023 staffing expansions), CISA cannot provide meaningful hands-on assistance to all entities across 16 sectors simultaneously. Triage decisions about which sectors or incidents receive direct CISA engagement create equity tensions, particularly for under-resourced SLTT governments and rural utilities.

Federal coordination vs. agency autonomy: Large FCEB agencies — Treasury, HHS, DOD components — maintain their own substantial cyber programs. BODs create tension between CISA's authority to set baseline requirements and agencies' existing security architectures and procurement cycles. Agencies have contested BOD remediation timelines when operational impacts are high.

Transparency vs. operational security: CISA's advisories and KEV catalog publicly identify active vulnerabilities and threat actor techniques. Publishing that information helps defenders but can also confirm to adversaries which of their exploits have been detected, creating a disclosure timing dilemma that CISA manages case by case in coordination with the Intelligence Community.

Common Misconceptions

Misconception: CISA monitors all U.S. internet traffic.
Correction: CISA's Einstein and CDM programs operate only on FCEB networks — the .gov civilian infrastructure. Private sector networks, DOD networks, and state government systems are outside Einstein's monitoring scope unless specific agreements exist.

Misconception: CISA can force private companies to fix vulnerabilities.
Correction: Outside CFATS-regulated chemical facilities, CISA has no general regulatory authority over private sector cybersecurity practices. Its engagement with private entities is advisory and voluntary, with the narrow exception of CIRCIA incident-reporting mandates for covered entities.

Misconception: CISA replaced or absorbed the FBI's cyber role.
Correction: The FBI retains exclusive authority to investigate federal cyber crimes and attribute attacks for law enforcement purposes. CISA and the FBI coordinate — as documented in joint advisories — but they occupy distinct statutory lanes.

Misconception: The KEV catalog lists all known vulnerabilities.
Correction: The KEV catalog lists only vulnerabilities with evidence of active exploitation in the wild. The National Vulnerability Database (NVD), maintained by NIST, catalogues all publicly known CVEs. As of 2024, the KEV catalog contained over 1,100 entries against an NVD inventory exceeding 200,000 CVEs.

Misconception: CISA is a post-pandemic creation.
Correction: CISA was established in November 2018, predating COVID-19. The pandemic accelerated certain program areas, particularly election security and remote work guidance, but did not create the agency.

Checklist or Steps

How a Federal Civilian Agency Navigates a CISA Binding Operational Directive

The following sequence reflects the standard operational process documented in CISA's BOD guidance framework:

  1. CISA publishes the BOD on its public website, specifying the vulnerability class, affected products, and remediation deadline.
  2. The agency's CISO reviews the directive and inventories all systems within scope using CDM dashboard data.
  3. The CISO determines whether affected systems have vendor patches available; if patches are unavailable, the BOD typically specifies accepted mitigations.
  4. The agency submits an initial response to CISA's Stakeholder Engagement division confirming receipt and identifying any deadline extension requests.
  5. Patch or mitigation deployment is executed according to the agency's change management process.
  6. Completion status is reported through the CDM dashboard, providing CISA automated visibility into remediation rates across FCEB agencies.
  7. If the deadline is missed, CISA escalates to the agency's CIO and, if unresolved, to the Office of Management and Budget (OMB), which holds budget authority over agency IT spending.

Reference Table or Matrix

CISA Major Program Areas: Scope, Authority, and Target Audience

Program Statutory Basis Authority Type Primary Audience
Binding Operational Directives (BODs) 44 U.S.C. § 3553 Mandatory FCEB agencies
Known Exploited Vulnerabilities (KEV) Catalog BOD 22-01 Mandatory (FCEB) / Advisory (others) FCEB agencies; private sector
Continuous Diagnostics and Mitigation (CDM) FY2013 DHS Appropriations Act Voluntary enrollment; mandatory reporting FCEB agencies
Einstein / NCPS Homeland Security Act § 230 Operational deployment on FCEB networks FCEB agencies
CFATS 6 U.S.C. § 621 et seq. Regulatory / mandatory High-risk chemical facilities
Automated Indicator Sharing (AIS) Cybersecurity Information Sharing Act 2015 Voluntary Private sector, SLTT, federal
CIRCIA Incident Reporting P.L. 117-103, Div. Y Mandatory (covered entities) Critical infrastructure operators
Cyber Hygiene Scanning CISA administrative authority Voluntary SLTT governments, private sector
Protected Critical Infrastructure Information (PCII) 6 U.S.C. § 671 Voluntary submission with legal protection Private sector, SLTT
Election Security Assistance Help America Vote Act + DHS authorities Voluntary State election officials

References

Read Next

DHS Component Agencies: Complete List and Functions Department of Homeland Security operates through a decentralized structure of component agencies, each carrying distinct... DHS Cybersecurity Mission: Protecting Critical Infrastructure This page covers the statutory foundations, operational mechanics, institutional roles, and structural tensions that define... DHS State and Local Government Partnerships and Coordination These partnerships are not optional supplementary relationships — they constitute the operational backbone through which...