Plain-English analysis for the people protecting public services.

On May 5, 2026, CISA released CI Fortify, a federal directive built on an explicit assumption that nation-state adversaries are already inside U.S. critical infrastructure. The guidance directs operators to plan for weeks or months of isolated operation. Most coverage has focused on energy and defense. It also matters for your water utility, your dispatch center, and your traffic systems. Here is what it actually says, what it means for your city, and three things to do this quarter.

It is never just the ransom. Verified cost data from Atlanta ($17M), Baltimore ($18.2M), Dallas ($8.5M), Aliquippa, and Columbus ($7M and ongoing) reveals the five cost categories most cities miss when budgeting their cybersecurity response. The ransom is rarely the largest expense. This briefing is the piece a city manager forwards to the council to justify a budget request.

Network segmentation. MFA. EDR. Email authentication. Backup architecture. Vendor remote access. 24/7 monitoring. Incident response playbook. The eight gaps almost every smaller municipality has, why they exist, what failure looks like for each, and a realistic order of operations for closing them.

The State and Local Cybersecurity Grant Program is the largest federal funding source ever created for municipal cyber defense. $1B over four years, with FY2025 the smallest year at $91.75M. Eligibility, how the application actually works, common mistakes, and what cities are funding.

An hour-by-hour playbook for what to do, who to call, and what not to touch when ransomware hits. The first 24 hours determine the next 24 months. Most cities improvise these decisions and pay for the improvisation. This is the operational playbook.

The 2026 cyber insurance market is fundamentally different from three years ago. Premiums up 30 to 100 percent for non-compliant organizations. 82% of denied claims involve missing MFA. The control checklist underwriters now require and how to prepare your next renewal.