.png)
What CISA's CI Fortify Guidance Actually Means, and Why It Reads Like a Confession
On May 5, 2026, CISA published guidance telling the operators of America's power, water, and transportation systems to prepare to run cut off from the internet, from their vendors, and from their own corporate networks, for weeks to months at a time. The reason given was a single sentence most of the coverage skipped past: operators should assume that, in a conflict, threat actors will already have access to the systems running the machinery. That is not a warning about a future attack. It is an instruction to assume the attack has already succeeded. This is what CISA's CI Fortify guidance actually says, why the agency can say it with confidence, and why guidance written in that tense reads less like a precaution than a confession.
The Sentence That Should Have Led the News
On May 5, 2026, CISA, the federal agency responsible for defending American infrastructure, launched an initiative called CI Fortify. Most of the coverage treated it as another piece of routine federal cybersecurity guidance. It is not routine, and the reason is one sentence on the agency's own page.
Operators of critical infrastructure should, CISA wrote, “assume that in a conflict scenario third-party connections—such as telecommunications, internet, vendors, service providers, and upstream dependencies—will be unreliable and that threat actors will have some access to the OT network.”
OT means operational technology, the systems that run the physical machinery: the pumps, the breakers, the valves, the switches. Read what the sentence actually says. The agency whose entire mission is to keep adversaries out of these systems is not telling operators that an intrusion might happen. It is telling them to assume an intrusion has already happened, that the enemy already holds a position in the machinery, and to build their plans around that as the starting condition.
That is not a warning. It is closer to a confession. Prevention guidance is written in the future tense: here is how to stop the thing that has not happened yet. CI Fortify is written in a different tense entirely. It is survival guidance for after prevention has failed, and it was written by the agency responsible for prevention. The tense is the tell. When the people whose job is keeping the enemy out start writing instructions for operating while the enemy is in, they are telling you something about how confident they are in the keeping-out.
What the Guidance Actually Asks Operators to Do
CI Fortify organizes around two plain objectives: isolation and recovery.
Isolation is the ability to proactively disconnect operational systems from third-party and business networks, cutting the cords to the internet, to vendors, to the corporate IT environment, in order to keep an attacker from reaching the machinery, while still delivering essential service in that cut-off state. Recovery is the ability to rebuild quickly any systems an adversary does manage to compromise. Acting CISA Director Nick Andersen framed it directly: critical organizations must be able to isolate vital systems, continue operating in that isolated state, and quickly recover any systems an adversary compromises.
The planning horizon is the part that lands hardest. Reporting on the guidance describes operators being told to prepare to sustain essential operations in a communications-degraded environment for an extended period, weeks to months, without the internet, without vendor support, without the upstream dependencies that modern operations assume are always there. A water utility, a power cooperative, a regional transportation system, told to plan for how it keeps running when it is cut off from everything outside its own fence line, because being cut off may be the safer state.
The guidance was modeled on advice the Australian government published in 2025, and CISA frames it as an allied initiative. This is not one agency's idiosyncratic worry. It is a posture the Five Eyes governments are converging on, because they are reading the same intelligence.
CI Fortify is not a warning that an attack might come. It is the federal government telling the country to assume the attack has already succeeded, and to plan for survival from there. Guidance written in that tense is a confession about the state of prevention.
Why CISA Can Say This With Confidence
The guidance does not float free of evidence. CISA states the basis plainly on the same page, and the language is worth quoting because it is the agency's own assessment, not an outside characterization. American critical infrastructure operators, CISA writes, face constant intrusion attempts from nation-state actors who aim for more than espionage, and those adversaries “have successfully pre-positioned across critical infrastructure to disrupt and destroy the operational technology running the United States.”
Read that as the declarative statement it is. Not adversaries who might pre-position. Adversaries who have pre-positioned, successfully, with the aim to disrupt and destroy. The agency is not hedging. It is stating, as established fact, that the enemy is already inside the systems that run the country, which is precisely why it can tell operators to plan on that assumption.
This is the through-line that connects CI Fortify to everything else in the threat landscape of 2026. China's Volt Typhoon campaign is the pre-positioning CISA is describing, confirmed inside US energy, water, and communications systems and assessed by the intelligence community as preparation for disruption rather than spying. The Salt Typhoon campaign is the telecommunications half of the same picture, the reason CISA's guidance specifically names telecom and internet connectivity as things that will be unreliable in a conflict. CI Fortify is not a standalone document. It is the operational conclusion drawn from those confirmed intrusions: if you accept that the adversary is pre-positioned and that they can take down communications, then telling operators to practice running isolated is the only responsible advice left to give.
The Quiet Problem Inside the Guidance
There is a tension in CI Fortify that the security community noticed immediately, and it is worth a board's attention because it generalizes. Isolation requires the ability to cut off remote access. But operators, engineers, and vendors need remote access to run and repair these systems, especially during a crisis. The very connectivity the guidance tells operators to be ready to sever is the connectivity they depend on to operate.
The security firms responding to the guidance put the point sharply: traditional remote access, broad VPNs and network-level trust, undermines isolation by expanding the attack surface, and threats routinely move through trusted connections, third parties, and compromised credentials long before any crisis response begins. Isolation on its own is not enough if the adversary is already inside the trusted perimeter you are isolating. One vendor CEO summarized the gap honestly: CI Fortify gets the doctrine right, but what is missing is the operator-side investment that would make the guidance executable.
That gap, between correct doctrine and the resources to execute it, is the same gap visible everywhere in this story. The guidance is right. Whether the underfunded water utility or the mid-market operator can actually do what it asks is a different question, and the honest answer for most is not yet.
Why This Is Not Just an Infrastructure-Operator Problem
CI Fortify is addressed to critical infrastructure operators. But its core planning assumption, that third parties will be unreliable and the adversary will have some access, is the correct assumption for almost any organization that runs on software it did not write and vendors it cannot fully audit. Which is to say, all of them.
There is also a legal dimension that should get the attention of every board and general counsel, even those far from the power grid. As one legal analysis of the guidance noted, CI Fortify is not binding regulation today, but it establishes a federal baseline that will be difficult to ignore after an incident. In future regulatory examinations, insurance disputes, and litigation, the question will be asked: the federal government told you in 2026 to plan for isolation and to assume compromise, and what did you do about it? A company that ignored a published federal baseline and then suffered the exact event it described is in a materially worse position than one that can show it took the guidance seriously. Voluntary guidance has a way of becoming the standard of care after the fact.
For acquirers, the translation is direct. CI Fortify is, in effect, a free diligence checklist written by the federal government. Can the target sustain operations if its vendors and connectivity go dark? Does it assume compromise, or does it still treat a clean scan as proof of safety? Can it isolate its critical systems, and does it actually know which systems those are? These are exactly the questions a private-equity operating partner should be asking of a portfolio company, and the guidance provides the language to ask them.
The practical posture CI Fortify implies is not exotic. Map the systems that have to keep running. Know which third parties and credentials can reach them. Build remote access that is tightly controlled and fully audited rather than broad and convenient. Segment the network so a compromise in one place cannot move everywhere. And plan, concretely, for how the organization operates when it is cut off from the outside, because the guidance is telling you that being cut off may be the survivable option.
Read This With the Rest
This is one of five connected stories from a single sixty-day window in 2026. The cover analysis, Five Warnings in Sixty Days: The Keys to America's Infrastructure Are Not Being Held, connects all five and links to each of the detailed investigations.
Related Reading
CI Fortify is the right guidance, and the fact that it had to be written is the warning. When the agency responsible for keeping adversaries out of American infrastructure starts publishing instructions for how to operate while they are inside, it has told you, in the plainest institutional language available, where things actually stand. The doctrine is sound. The question CI Fortify leaves on every board's table is whether the organization can actually do what the government is now, in writing, telling it to prepare for, and whether it will start before the incident rather than after.
Cloudskope advises private equity firms, boards, and portfolio-company operators on translating CI Fortify's planning assumption into practice: tightly controlled and audited privileged access, segmentation that survives a compromise, and resilience planning that assumes the adversary already has a foothold rather than waiting for proof.
.png)