On May 5, 2026, the Cybersecurity and Infrastructure Security Agency released a new initiative called CI Fortify. The guidance directs critical infrastructure operators across the United States to prepare for cyberattacks that may sever telecommunications, internet access, and third-party vendor support for weeks or months. The release came less than a week after CISA returned from the longest federal shutdown in U.S. history, having lost roughly 1,000 staff over the prior year.
The timing is not accidental. CI Fortify is not a routine policy update. It is CISA telling Americans, in measured but unmistakable language, that adversaries are already inside the systems that run our electricity, our water, our transportation, and our public services, and that the moment those adversaries decide to act, federal help may not arrive in time.
For city managers, county administrators, water utility directors, and IT directors at the municipal level, this is the most important federal guidance issued in the last two years. Most coverage of CI Fortify has focused on energy operators, defense contractors, and large industrial firms. That coverage is incomplete. Any organization that delivers a service Americans rely on for daily life is in scope. That includes you.
Section 01What CI Fortify Actually Says
CI Fortify is built on two emergency planning objectives. The first is isolation. Critical infrastructure operators are directed to develop the capability to deliberately disconnect their operational technology from external networks, including the internet, telecommunications providers, vendor remote-access channels, and even their own corporate IT environments, and to continue delivering essential services in that disconnected state for weeks or months. The second is recovery. When isolation alone is not sufficient, operators must be able to rebuild compromised systems quickly, transition to manual operations where possible, and restore service from backups that adversaries cannot reach.
The guidance is built on an explicit assumption that should make every public official sit up: nation-state actors, primarily attributed to the People's Republic of China but including Iranian and Russian groups as well, have already embedded themselves inside U.S. critical infrastructure. The relevant question is no longer whether they will gain access. It is whether the operator can continue serving its customers when those adversaries decide to use the access they already have.
CISA Acting Director Nick Andersen put it this way in a press call announcing the initiative: critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services. Operators must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise. CISA has already begun a pilot phase, conducting targeted technical assessments of selected critical infrastructure operators. The agency declined to identify which organizations are in the pilot, but the priority sectors are defense critical infrastructure, including military bases, dams, and satellite communications, and lifeline services, including water, energy, transportation, and public health.
Section 02Why This Matters for Cities
City managers reading this may be tempted to assume the guidance applies to power companies and energy giants, not to municipal operations. That assumption is wrong. CI Fortify's audience explicitly includes the public health, energy, water, transportation, and defense industrial base sectors. Most of those touch your city directly.
Water and wastewater utilities are perhaps the most exposed. The Aliquippa, Pennsylvania water authority breach in November 2023, attributed to Iranian Revolutionary Guard-affiliated actors using the CyberAv3ngers persona, demonstrated that even small municipal water utilities are reachable through their industrial control systems. The attackers exploited internet-exposed Unitronics programmable logic controllers using default credentials. CI Fortify is, in part, a direct response to incidents like Aliquippa. It is asking every municipal water utility to plan as if Aliquippa happened to them.
Public safety dispatch (911 centers) depends on telecommunications carriers, computer-aided dispatch software, and interconnected radio systems. The CI Fortify guidance assumes those connections may be unreliable or compromised during a crisis. A dispatch center that has never thought through what happens when its CAD vendor goes dark, when its primary fiber route is severed, or when its mobile data terminals lose backhaul, is not aligned with the federal expectation.
Traffic control systems, increasingly networked and increasingly remote-managed by vendors, fall squarely in the operational technology category that CI Fortify addresses. Cities that rely on cloud-based signal management or vendor-hosted traffic data are running OT systems with external dependencies that the CI Fortify framework directs them to plan for losing.
Public health departments, particularly those operating county hospitals or running EMS dispatch, are explicitly named in the guidance. Any city or county whose public health systems handle protected health information, manage outbreak response, or coordinate emergency medical services is in scope.
If your jurisdiction operates any of these systems, you are, by CISA's definition, a critical infrastructure operator. That is not a metaphor. That is a federal designation with real consequences for what you are expected to plan for.
Section 03Three Things to Do This Quarter
Translating CI Fortify into action at the municipal level can feel daunting. Most cities do not have the budget, the staffing, or the planning bandwidth that an investor-owned utility or a federal contractor has. CISA acknowledges this. The guidance does not expect every operator to be ready for weeks of isolated operation by next month. It expects every operator to begin building toward that capability now.
Three concrete actions city leaders can take this quarter:
Map your dependencies.
Write down every external connection your operational technology depends on. Vendor remote-access portals. Cloud-based SCADA management. Telecommunications carriers used for SCADA telemetry. Third-party patch-management services. Cellular modems on water tank sensors. The list is usually longer than people expect. For each connection, write down what would happen to service delivery if it disappeared tomorrow. The exercise alone, before you act on the findings, is more than most municipalities have ever done.
Identify your critical customers.
CI Fortify directs operators to identify the specific customers whose service must continue during a crisis. For a city this typically means hospitals, fire stations, emergency operations centers, military installations within the city limits, and lifeline residents who depend on uninterrupted water or power for medical reasons. The point is not to abandon other customers. The point is to be honest about whose service is non-negotiable, so that engineering and operational decisions can be made with that priority explicit.
Test your recovery, not just your backups.
Most cities have backups. Far fewer have recovery procedures that have been rehearsed. CI Fortify's recovery pillar is not satisfied by the existence of backups. It is satisfied by the demonstrated ability to use them under pressure, including the ability to transition to manual operations when necessary. If your last full recovery test was the day your backup vendor installed the system, that test is meaningless for CI Fortify purposes.
Section 04What CI Fortify Does Not Mean
A few corrections to common misreadings of the guidance.
CI Fortify is not a regulation. It does not impose new compliance obligations. It does not create civil liability for operators who do not implement it. CISA does not have the statutory authority to mandate cybersecurity controls on most municipal operators. What CI Fortify creates is an expectation, an audit posture, and a framework that insurers, courts, and Congressional investigators will reference if your city is ever the subject of an incident or hearing. Operators who can document alignment with CI Fortify will be in a substantially better position than those who cannot, even though there is no statutory penalty for misalignment.
CI Fortify is not solely about geopolitical conflict with China. The guidance frames its assumptions in terms of a major conflict scenario, but the capabilities it asks operators to develop, isolation and recovery, are the same capabilities that defend against ransomware, insider threats, supply-chain attacks, and ordinary criminal extortion. Building isolation and recovery for the wartime scenario buys you protection against the everyday scenario. The investment is dual-use.
CI Fortify is not something your IT vendor handles for you. The guidance explicitly addresses managed service providers, integrators, and security vendors, directing them to support operators in building isolation and recovery capabilities. But the operator, meaning your city, retains ownership of the planning, the rehearsal, and the engineering decisions. A vendor cannot align you with CI Fortify by selling you a product. They can only assist you in aligning yourself.
Section 05How OneCyberShield Aligns
The OneCyberShield product stack was designed before CI Fortify was published, but the alignment is intentional. The federal pullback was visible long before May 5, 2026, and we built our protection layer assuming municipalities would need to defend themselves with limited federal support. Three of our four product pillars map directly to CI Fortify objectives.
Network Defense delivers the IT/OT segmentation and vendor remote-access controls that make isolation possible without breaking everyday operations. The hardest part of isolation in practice is not the technology. It is knowing which connections can be severed without taking down something essential. Our segmentation architecture is designed to make that question answerable in advance.
Immutable Backup and Recovery delivers the air-gapped storage that ransomware cannot reach and that supports the recovery rehearsals CI Fortify requires. Retention is aligned with CJIS, HIPAA, and IRS Pub 1075 requirements that already apply to municipal data, so a single backup architecture covers federal cyber expectations and existing compliance simultaneously.
The Threat Intelligence and SOC Platform provides the visibility your IT team needs to know when isolation is warranted, and the audit-ready logging that documents your alignment with the federal framework if questions are ever asked. Knowing when to disconnect is harder than disconnecting. The platform is designed to make that decision evidence-based rather than improvised.
Section 06The Bottom Line
CI Fortify is a wake-up call for the public sector. The cities and utilities that respond now, methodically, will be in a defensible posture when adversaries decide to act. The cities that wait until the next major incident to plan are the ones whose names end up in news coverage and oversight hearings.
The federal government has been honest about what is coming. The question for your city is whether the planning will start in your next budget cycle, in your next council session, or only after the headline. The first option is much cheaper than the third.
For more on what the OneCyberShield protection stack covers and how it deploys in a municipal environment, see our Solutions overview or read the companion briefing on what a ransomware attack actually costs a U.S. city.