A deliberate shift from prevention to endurance
On May 5, 2026, the Cybersecurity and Infrastructure Security Agency announced CI Fortify, an initiative that asks the operators of America's water systems, transportation networks and defense-critical facilities to do something the security field has long treated as failure: assume the attacker is already inside, and plan to keep essential services running anyway. The guidance rests on two pillars. Isolation is the ability to proactively sever connections to third-party and business networks — vendors, telecoms, the internet — so an intrusion cannot reach operational technology. Recovery is the discipline of documenting systems, keeping current backups, and rehearsing the switch to manual control. The planning target is striking: operators should be able to deliver essential services "for weeks to months" while cut off.
Acting CISA Director Nick Andersen framed this as resilience by design rather than a reaction to any single adversary. But the subtext is unmistakable. CISA, alongside reporting from The Record and others, has documented Chinese state campaigns — Volt Typhoon and Salt Typhoon — that have burrowed into U.S. electricity, water and telecommunications networks, in some cases since 2019. CI Fortify is, in effect, a planning posture for the day a geopolitical conflict turns that access into sabotage.
The strongest case for the new posture
It is worth stating plainly why CI Fortify is good policy. A decade of "keep the adversary out" spending has not kept the adversary out. Outside experts and former officials quoted on the initiative argue that evicting deeply embedded actors like Volt Typhoon is unrealistic, and that the honest objective is segmentation and resilience — assume compromise and design to operate through it. That is a mature reframing. A water utility that can run on manual control for a month while it rebuilds is far less attractive to an adversary than one whose service collapses the moment its IT network is touched. Deterrence improves when sabotage stops being decisive.
Crucially, CISA chose guidance over a rule. CI Fortify is voluntary. For a publication that favors proportionate, evidence-based regulation, that is the right instinct. Critical-infrastructure sectors are wildly heterogeneous — a chemical plant, a subway system and a satellite-communications provider share almost no operational logic — and a single prescriptive mandate would have been both unworkable and slow. Offering assessments, exercises and a shared threat model lets operators internalize the goal without Washington dictating the means.
Where proportionality starts to fray
The problems are practical and institutional. Start with feasibility. Isolation presupposes that an operator knows exactly what it is isolating from. Yet practitioners responding to CI Fortify note that many operators cannot even enumerate their third-party dependencies — the prerequisite for any credible disconnection plan. Others warn bluntly that firms will not spend the money to make "unplug and keep running" seamless. Guidance that assumes a level of dependency-mapping the sector has not achieved risks producing binders of paper plans rather than tested capability.
The deeper concern is how "voluntary" guidance hardens into a mandate without ever passing through rulemaking. As the law firm Crowell & Moring observes, CI Fortify "is not binding regulation today, but it establishes a federal baseline that will be difficult to ignore post-incident." Translated: after the next breach, an operator that skipped CISA's recommendations will meet that baseline in regulatory examinations, insurance-coverage disputes and litigation. That is regulation by liability — the substance of a mandate without the discipline of one. There is no notice-and-comment, no published cost-benefit analysis, no congressional authorization defining who must do what and who pays. For genuinely defense-critical systems a firmer standard may be justified; but it should arrive through a process operators can contest, not through the back door of after-the-fact second-guessing.
The credibility gap
Then there is the messenger. CISA is asking operators to invest heavily in resilience at the very moment the agency has shed close to 1,000 employees — roughly a third of its workforce — and is rebuilding after a 75-day Department of Homeland Security shutdown furloughed much of its staff. It has approved 329 "mission-critical" hires and is prioritizing its ten regional offices, which are meant to run the targeted assessments at the heart of CI Fortify. An initiative whose value depends on CISA's capacity to assess, advise and exercise across every critical-infrastructure sector is being launched by an agency that cannot currently staff that promise. Resilience guidance from a depleted regulator invites the question operators will ask first: with what support?
What proportionate execution looks like
CI Fortify deserves to succeed, and the fixes are straightforward. Keep it voluntary and resist the liability-creep that would convert it into a de facto rule by stealth; if defense-critical systems need binding standards, legislate them transparently on a cost-benefit basis. Fund the assessments before scaling the expectations, so the agency can deliver the help it asks operators to act on. Sequence the work — defense-critical infrastructure first, where the national-security case is clearest — rather than gesturing at all sectors at once. And anchor the effort in the existing framework of NSM-22, the 2024 National Security Memorandum on critical-infrastructure resilience, so operators are not navigating yet another disconnected program.
The instinct behind CI Fortify — that resilience, not an impossible perimeter, is the realistic objective — is exactly right. Whether it strengthens American infrastructure or merely shifts blame onto its operators will depend on resources and restraint, not slogans.