CISA unveiled CI Fortify on May 5–6, 2026, a new initiative that goes significantly further than previous critical infrastructure cybersecurity programs: rather than focusing solely on defense and detection, it explicitly requires operators to plan for what happens when defenses fail. The initiative's two core objectives — isolation and recovery — are a direct response to intelligence assessments of Chinese cyber intrusion capability and represent a shift in how the federal government is asking critical infrastructure sectors to think about resilience.
What CI Fortify requires
CI Fortify is built around two operational planning objectives:
| Objective | Definition | Who It Applies To |
|---|---|---|
| Isolation | The ability to disconnect critical systems from third-party dependencies — including IT networks, cloud services, vendor remote access, and internet connectivity — and continue operating in a degraded but functional state | All 16 critical infrastructure sectors; energy, water, and communications prioritized |
| Recovery | The ability to replace or manually operate compromised systems following an adversary cyberattack — including manual fallback procedures, backup control systems, and restoration playbooks | Industrial control system operators; OT-heavy environments |
The China threat context
CI Fortify is explicitly framed around the threat posed by Chinese state-sponsored cyber actors — particularly the Volt Typhoon and Salt Typhoon intrusion campaigns that were publicly disclosed in 2024–2025. Those campaigns demonstrated that Chinese actors had achieved persistent access to U.S. critical infrastructure systems not for immediate disruption, but for pre-positioning: the capability to trigger disruption during a future crisis (the most-cited scenario is a Taiwan contingency). CI Fortify is CISA's answer to the question: what does the power grid do if China triggers its pre-positioned access on day one of a conflict?
The role of vendors and contractors
CISA's CI Fortify announcement explicitly names industrial control system vendors, managed service providers, and security integrators as essential to the initiative's success. The agency is asking these contractors to:
- Help operators assess their current isolation capabilities and document dependencies that cannot be severed cleanly
- Develop and test isolation procedures alongside operators, including identifying which vendor remote access connections are essential versus severable
- Build or update manual fallback procedures for OT environments where automated systems may be compromised
- Provide resilience engineering services that harden the boundary between IT and OT networks
What CISA will do
CISA will conduct targeted assessments of participating operators' resilience measures — essentially, free government-sponsored reviews of whether an operator's isolation and recovery plans are credible. These assessments are voluntary but signal which sectors and operators are prioritized. The assessments also generate findings that, in practice, become statements of work for remediation contracts.
Contract and business development implications
| Service Category | CI Fortify Demand Signal | Procurement Vehicle Likely Used |
|---|---|---|
| OT/ICS security assessment | High — core to CISA assessments | CISA task orders; direct agency SOWs |
| Network segmentation engineering | High — isolation requires IT/OT separation | Agency-specific IT service contracts |
| Manual operations planning | Medium — process consulting, tabletop exercises | Professional services contracts |
| Backup control system hardware | Medium — recovery requires redundant capability | GSA Schedule 70; DHS procurement |
| Resilience training and exercises | Medium — operators need exercise programs | CISA grant-funded; direct contracts |
Firms positioned in OT security, industrial cybersecurity, and operational resilience should submit capability statements to CISA's industry engagement program and monitor DHS procurement forecasts for CI Fortify-associated task orders. The initiative is new, which means solicitations are 90–180 days behind the announcement — now is the time to build relationships with program offices before requirements are written.