CISA: Cybersecurity and Infrastructure Security Agency

The Cybersecurity and Infrastructure Security Agency (CISA) is the lead federal agency for protecting United States critical infrastructure and federal civilian networks from cyber and physical threats. Established by statute in 2018, CISA operates within the Department of Homeland Security and maintains coordination authority across 16 critical infrastructure sectors. This reference covers CISA's mandate, operational structure, engagement scenarios, and the boundaries that distinguish its role from other federal cybersecurity bodies.

Definition and scope

CISA was created by the Cybersecurity and Infrastructure Security Agency Act of 2018 (Pub. L. 115-278), which elevated and reorganized the former National Protection and Programs Directorate within the Department of Homeland Security. The legislation gave CISA a statutory foundation and expanded authority to coordinate cybersecurity across both the federal government and the private sector.

The agency's jurisdictional perimeter is defined along two axes: the federal civilian executive branch (FCEB) network environment — commonly identified by the .gov domain space — and the 16 critical infrastructure sectors enumerated in Presidential Policy Directive 21 (PPD-21). Those sectors include energy, water and wastewater, healthcare and public health, transportation, financial services, communications, and 10 additional categories. For a structured view of how sector-specific obligations interact with CISA's authority, the sector-specific cybersecurity requirements reference provides sector-by-sector breakdowns.

CISA's functional scope spans five defined domains:

1. Cyber threat intelligence and alerting — publishing advisories, alerts, and known exploited vulnerability (KEV) catalog entries that inform both federal and private-sector defenders.
2. Federal network defense — operating the EINSTEIN intrusion detection system and the Continuous Diagnostics and Mitigation (CDM) program across FCEB agencies.
3. Critical infrastructure resilience — conducting risk assessments, vulnerability scans, and coordination exercises with sector partners.
4. Emergency communications — supporting interoperable public safety and emergency communications systems at the federal, state, and local levels.
5. Stakeholder engagement and capacity building — providing free vulnerability scanning, cybersecurity assessments, and training resources to state, local, tribal, territorial (SLTT) governments and private-sector entities.

CISA also administers the Binding Operational Directives (BODs) and Emergency Directives (EDs) that carry mandatory compliance weight for federal agencies. Private-sector entities are not subject to BODs by law but frequently align their practices to them as de facto standards.

How it works

CISA's operational model is structured around four functional divisions: Cybersecurity, Infrastructure Security, Emergency Communications, and Integrated Operations. Each division maintains regional presence through a network of field offices that interface directly with SLTT governments and sector-specific partners.

The Known Exploited Vulnerabilities (KEV) catalog, maintained at cisa.gov/known-exploited-vulnerabilities-catalog, lists vulnerabilities confirmed to be actively exploited in the wild. Under Binding Operational Directive 22-01, FCEB agencies are required to remediate KEV entries within defined timeframes — typically 2 weeks for high-severity entries and up to 6 months for lower-severity entries, depending on the directive cycle.

CISA coordinates the Shields Up program, a public campaign that escalates recommended defensive actions during periods of elevated threat. The agency also co-authors joint cybersecurity advisories with the FBI, NSA, and international partners such as the UK's National Cyber Security Centre (NCSC) and the Australian Signals Directorate (ASD).

The agency's threat intelligence sharing infrastructure connects to the Information Sharing and Analysis Centers (ISACs) that operate within individual critical infrastructure sectors, enabling bidirectional exchange of indicators of compromise and threat actor tradecraft.

For a broader view of how CISA fits within the federal agency landscape, the federal cybersecurity agencies reference maps the relationships among CISA, NSA, FBI Cyber Division, and NIST.

Common scenarios

Organizations interact with CISA resources across a defined set of recurring operational contexts:

• Incident response coordination: Following a significant cyber incident affecting critical infrastructure, CISA deploys its Cybersecurity Advisory (CSA) teams and coordinates with sector partners. The incident response national protocols reference details the federal coordination structure.
• Ransomware response: CISA jointly operates StopRansomware.gov with the FBI and other federal partners, providing sector-specific guidance, decryption tools, and reporting mechanisms. The ransomware national response reference covers the federal response framework in full.
• Vulnerability disclosure: CISA administers the federal vulnerability disclosure policy under Binding Operational Directive 20-01, which requires all FCEB agencies to maintain a vulnerability disclosure policy and accept reports from external researchers.
• Election infrastructure support: CISA designated election infrastructure as a critical infrastructure subsector in 2017 and provides security assessments, threat briefings, and tabletop exercises to state and local election officials.
• Supply chain risk management: CISA publishes ICT Supply Chain Risk Management guidance and participates in the ICT SCRM Task Force, a public-private working group addressing hardware, software, and managed service provider risks.

Decision boundaries

CISA's authority and role differ from other federal cybersecurity bodies along several key dimensions:

CISA vs. NIST: NIST produces the Cybersecurity Framework (CSF) and Special Publications (SPs) that define standards and guidance. NIST lacks enforcement authority; its frameworks are advisory. CISA translates NIST standards into operational directives and mandatory federal requirements. The NIST Cybersecurity Framework reference details the CSF structure independently.

CISA vs. NSA: NSA's Cybersecurity Directorate focuses on national security systems (NSS) — classified and defense-related networks. CISA holds primary responsibility for unclassified federal civilian and critical infrastructure networks. The two agencies co-author joint advisories but operate in distinct statutory lanes.

CISA vs. sector regulators: CISA's role is coordinative, not exclusively regulatory. Sector-specific regulators — such as the Federal Energy Regulatory Commission (FERC) for the energy sector, the Office of the Comptroller of the Currency (OCC) for banking, and the Department of Health and Human Services (HHS) under HIPAA for healthcare — hold primary enforcement authority within their domains. CISA supplements these with cross-sector coordination and threat intelligence.

Mandatory vs. voluntary applicability: BODs and EDs are legally binding only on FCEB agencies. Private-sector organizations, including operators of critical infrastructure, engage with CISA guidance on a voluntary basis unless separate sector-specific regulations impose obligations. The US cybersecurity regulatory framework reference documents where mandatory obligations originate.

References

• Cybersecurity and Infrastructure Security Agency Act of 2018, Pub. L. 115-278
• CISA — Official Agency Website
• CISA Binding Operational Directive 22-01 — Known Exploited Vulnerabilities
• CISA Binding Operational Directive 20-01 — Vulnerability Disclosure Policy
• Presidential Policy Directive 21 (PPD-21) — Critical Infrastructure Security and Resilience
• CISA Known Exploited Vulnerabilities Catalog
• NIST Cybersecurity Framework
• StopRansomware.gov — Joint Federal Ransomware Resource
• CISA ICT Supply Chain Risk Management