CISA Critical Infrastructure Cybersecurity

1. The Regulatory Framework

Executive Order 13800 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, 11 May 2017) directs federal agencies to manage cybersecurity risk using the NIST Cybersecurity Framework, requires sector-specific risk assessments by Sector Risk Management Agencies, and establishes the policy that the resilience of critical infrastructure is a national priority. EO 13800 is the policy umbrella; CISA is the operational vehicle. The Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278) created CISA inside the Department of Homeland Security with statutory authority to coordinate cybersecurity defense across the sixteen critical-infrastructure sectors enumerated in Presidential Policy Directive 21.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA, codified at 6 U.S.C. § 681 et seq.) added the operational teeth. Covered entities — defined by CISA's implementing rulemaking under 6 U.S.C. § 681b — must report substantial cyber incidents within 72 hours and ransom payments within 24 hours. The CIRCIA Notice of Proposed Rulemaking published in April 2024 sets the covered-entity scope across the chemical, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear, transportation, water, and wastewater sectors. Final rule promulgation is expected during 2025–2026, with mandatory reporting effective shortly thereafter.

Enforcement layers are coordinated. Sector Risk Management Agencies (TSA for transportation pipelines, EPA for water, DOE for energy, HHS for healthcare, Treasury for financial services, and so on) issue sector-specific directives — for example, TSA Security Directive Pipeline-2021-02 series and TSA SD 1580/82-2022 series for surface transportation. CISA issues binding operational directives applicable to federal agencies under 44 U.S.C. § 3553(b)(2), and emergency directives under 44 U.S.C. § 3553(h), with operational coordination effects on covered private-sector operators. The FBI maintains parallel investigative authority for cyber incidents that constitute federal crimes.

2. The Architectural Requirement

Underneath the policy and rulemaking lies a structural requirement: a covered entity must be able to detect a substantial cyber incident, characterize it across the modalities through which it manifests (network, control system, physical sensor, supply chain, peer reports), and produce a credentialed report that downstream consumers (CISA, the Sector Risk Management Agency, the FBI, peer operators) can admit and act on. The detection cannot rely on any single modality because a sophisticated adversary will obscure the modality the defender prefers. The characterization cannot be heuristic because CIRCIA requires a defensible determination of whether the threshold for "substantial" has been met. The reporting cannot be unauthenticated because cross-sector coordination depends on the receiver knowing which authority issued the report.

This shape is cross-modality sensing with governed active probing and authority-credentialed reporting. It is not a SIEM, not an IDS, not a SOAR playbook in isolation. It is the structural property that observations from heterogeneous sensors are admitted under a credentialed authority taxonomy, weighted against their corroboration and credential continuity, evaluated for composite admissibility against the disruption hypothesis, and propagated as credentialed reports that other authorities can chain through their own evaluation. CIRCIA's 72-hour clock and the Sector Risk Management Agencies' incident coordination expectations only make sense if this shape exists.

The structural property also includes governed active probing. A passive monitoring posture cannot disambiguate sophisticated cross-modality disruptions; the defender needs the authority to issue probes (synthetic queries, controlled state perturbations, ground-truth verifications) without those probes themselves becoming attack surface. The probe authority, the probe payload, and the probe response all must enter the credentialed-observation chain. The structure of governed active probing — credentialed authority to probe, credentialed observation of response, lineage-recorded outcome — is what distinguishes a defensible critical-infrastructure posture from a brittle one.

3. Why Procedural and Bolt-On Compliance Fails

The dominant compliance pattern is policy-and-attestation: the operator publishes a cybersecurity policy aligned to the NIST CSF, attests to its implementation, and reports incidents to CISA when the attorney determines the threshold has been met. This pattern fails the architectural requirement in three concrete ways. First, the detection layer is composed of separately procured, separately operated tools with no shared authority taxonomy; an alert from the OT historian and an alert from the IT SIEM cannot be jointly evaluated for admissibility because they live in incompatible authority frames.

Second, the characterization step is human. An incident response analyst correlates alerts, decides whether the threshold is met, and triggers the report. At the scale at which CIRCIA-covered entities operate — a regional water utility may have tens of thousands of OT endpoints — the human characterization step becomes the bottleneck and the attack surface. Sophisticated adversaries explicitly target the characterization step by generating high-volume low-quality alerts to mask the substantive incident. A bolt-on compliance posture has no structural defense against this.

Third, cross-sector coordination is unauthenticated. When TSA issues a pipeline directive that depends on energy-sector indicators, or when CISA issues a binding operational directive that propagates information across sectors, the receiving operator has no structural way to admit the directive into its own decision flow as a credentialed input. The current pattern is email plus PDF. The CIRCIA framework explicitly anticipates structural improvement; the policy-and-attestation pattern is structurally incompatible with it.

4. What The Environmental-Disruption Primitive Provides

The AQ environmental-disruption primitive is a cross-medium sensing substrate with governed active probing in which heterogeneous sensors (network, control system, physical, RF spectrum, supply-chain, peer-operator) issue credentialed observations into a shared authority taxonomy. Each observation carries the issuing authority's credential, an observation class within the taxonomy, and a continuity record; the substrate weights observations against their credential class, corroboration density, and trust slope. Composite admissibility evaluation against the disruption hypothesis produces a graduated outcome — confirmed disruption, suspected disruption with active probe required, advisory observation insufficient for action, or rejected as malformed.

Governed active probing is a first-class element. When the composite admissibility output is "suspected disruption with active probe required," the substrate has the credentialed authority to issue a probe — a synthetic query against the suspected affected system, a ground-truth verification request to a peer authority, a controlled state perturbation against a redundant subsystem — and to admit the probe response as a credentialed observation. The probe authority, payload, and response are all recorded in lineage. This converts the human characterization step into a structural one.

Element by element against CISA expectations: the credentialed-observation chain satisfies the NIST CSF Detect function (DE.AE, DE.CM) at a depth that policy attestation cannot reach because the detection is structurally cross-modality. Composite admissibility satisfies the Respond function (RS.AN — analysis) by producing graduated, defensible determinations rather than analyst judgements. The lineage-recorded provenance element satisfies the Recover function (RC.IM — improvements) by making post-incident reconstruction a structural query rather than a forensic reconstruction project.

For CIRCIA reporting specifically, the substrate produces credentialed reports as structural outputs. The 72-hour determination that a substantial cyber incident has occurred is the composite admissibility output crossing the substantial-incident threshold defined in the operator's published authority taxonomy. The report itself is a credentialed observation issued into the cross-mesh reconciliation channel that connects the operator's substrate to CISA's substrate. The 24-hour ransom-payment report is a separate credentialed observation in the same channel. Both are reproducible from lineage.

5. Compliance Mapping

NIST CSF 2.0 Identify (ID.AM, ID.RA) maps to the authority-credentialed observation taxonomy and the operator's published asset and risk schema. Detect (DE.AE — anomalies and events, DE.CM — continuous monitoring) maps to the cross-modality observation chain with composite admissibility. Respond (RS.AN — analysis, RS.CO — communications) maps to the graduated admissibility outcomes and the cross-mesh reconciliation channel for inter-authority reporting. Recover (RC.RP — recovery planning, RC.IM — improvements) maps to lineage-recorded provenance and the recursive closure of remediation observations re-entering the chain.

CIRCIA covered-entity reporting under 6 U.S.C. § 681b maps to the credentialed report element with the substantial-incident threshold encoded as a published admissibility configuration. EO 13800's federal-network cybersecurity posture maps onto the federal-agency instance of the same substrate. TSA pipeline and surface-transportation security directives map onto sector-credentialed authority chains within the substrate. CISA binding operational directives and emergency directives map onto regulator-issued credentialed observations that the operator's substrate admits as authoritative.

Cross-sector coordination — the load-bearing operational property of CISA's mission — maps onto cross-mesh reconciliation between the substrates operated by entities in different sectors. The substrates do not need to merge; they reconcile through credentialed observation exchange under a shared taxonomy. This is the structural answer to the cross-sector problem that the policy-and-attestation pattern cannot solve.

6. Adoption Pathway

Adoption is led by the covered entity because the regulatory obligation lands on the operator. Sector Risk Management Agencies are early structural beneficiaries — once a meaningful number of sector entities operate the substrate, the SRMA can issue credentialed sector directives and receive credentialed sector reports through the same channel, replacing the email-and-PDF coordination layer. CISA itself is the ultimate cross-sector beneficiary because the cross-mesh reconciliation property scales coordination linearly with the number of entities rather than quadratically.

The transition path from current compliance posture is incremental. Existing SIEM, OT historian, vulnerability management, and incident response tools are not displaced; they become the source authorities that issue credentialed observations into the substrate. The substrate progressively absorbs the human characterization step by accumulating composite admissibility configurations that encode the operator's prior incident-response judgements. CIRCIA reporting flips from a human-triggered compliance event to a structural output of the substrate. By the time CIRCIA enforcement reaches operational tempo, the substrate is the audit object the SRMA and CISA examine, and the policy-and-attestation artifacts are documentation of the substrate rather than substitutes for it.