CISA CI Fortify 2026: US Tells Critical Infrastructure to Prepare for Weeks-Long Cyber Blackouts

CISA CI Fortify is the directive that just told US power plants, water utilities, and transportation systems to prepare for something terrifying: weeks to months of operating without internet, cloud services, or telecommunications during a cyberattack. On May 6, 2026, CISA (Cybersecurity and Infrastructure Security Agency) launched CI Fortify, a new initiative that essentially tells critical infrastructure operators to plan for a scenario where everything digital goes dark.

This isn’t a drill. CISA is already conducting targeted assessments of critical infrastructure organizations to evaluate their readiness for prolonged cyber isolation. The implication is stark: the US government believes a nation-state cyberattack capable of severing critical infrastructure from the internet is not a matter of “if” but “when.”

What Is CI Fortify?

CI Fortify is CISA’s new initiative designed to ensure that America’s critical infrastructure can continue operating during a major geopolitical conflict involving large-scale cyberattacks. The program pushes water utilities, power grids, transportation networks, hospitals, and other essential services to develop plans for sustaining operations in a completely degraded digital environment.

The initiative was announced by Acting CISA Director Nick Andersen, who framed it as a direct response to the growing threat from nation-state cyber actors — particularly China’s Volt Typhoon and Salt Typhoon groups, which have been caught pre-positioning inside US critical infrastructure networks.

CI Fortify isn’t just another cybersecurity advisory. It represents a fundamental shift in how the US government thinks about infrastructure protection: from “prevent the attack” to “survive the attack and keep operating.”

The Two Pillars: Isolation and Recovery

CI Fortify is built around two core strategies that critical infrastructure operators must implement:

Isolation means proactively disconnecting operational technology (OT) networks from third-party services, business networks, cloud platforms, and the internet to prevent cyberattacks from spreading to systems that control physical processes. Think of it as pulling the digital drawbridge — cutting off all external connections so that a compromised IT network can’t reach the systems controlling water treatment, power generation, or hospital equipment.

The goal is for critical infrastructure to maintain “safe operations for weeks to months while isolated” from IT networks and third-party tools. That means operators need alternative communication systems, manual controls, and pre-positioned supplies to function without any digital connectivity.

Recovery means having documented procedures, system backups, and manual operation plans ready in case isolation fails and critical components are rendered inoperable. This includes documenting every system, backing up critical configuration files, and practicing the complete replacement of compromised systems or the transition to manual operations.

Together, these pillars represent a worst-case planning framework: assume the internet goes down, assume your cloud services disappear, assume your telecommunications fail — and plan to keep operating anyway.

Why CISA CI Fortify Was Issued Now? The China Threat

CI Fortify’s timing isn’t coincidental. Over the past two years, US intelligence agencies have repeatedly warned about Chinese state-sponsored hacking groups pre-positioning inside critical infrastructure networks. Two groups in particular have driven the urgency:

Volt Typhoon has been detected inside US water utilities, power grids, telecommunications companies, and transportation systems since at least 2023. Unlike traditional cyber espionage groups that steal data, Volt Typhoon’s operations appear designed for disruption — pre-positioning access that could be activated during a conflict to shut down essential services.

Salt Typhoon compromised at least nine major US telecommunications providers in 2024-2025, accessing call records, text messages, and even wiretap systems used by law enforcement. The breach demonstrated that even the communications infrastructure the government relies on during crises could be compromised.

CISA’s assessment is clear: if a geopolitical conflict erupts — particularly over Taiwan — Chinese cyber operators could simultaneously attack power grids, water systems, telecommunications, and transportation across the United States. CI Fortify is designed to ensure that these systems can survive that kind of coordinated assault.

Targeted Assessments Already Underway

CISA isn’t just publishing guidelines. Acting Director Andersen confirmed that the agency has already begun conducting targeted technical assessments of critical infrastructure organizations to evaluate their readiness for CI Fortify’s objectives.

Andersen declined to identify which organizations are being assessed, but the initiative prioritizes sectors that directly impact public health and safety, defense operations, economic continuity, and national security. Water and wastewater systems, energy infrastructure, healthcare facilities, and transportation networks are the most likely initial targets.

The assessments evaluate whether organizations can actually operate their critical systems without internet connectivity, cloud services, or external IT support for extended periods. Many organizations will likely fail — modern infrastructure has become deeply dependent on cloud platforms, SaaS tools, and internet-connected monitoring systems that CI Fortify requires them to function without.

What CI Fortify Means for Infrastructure Operators

For organizations that own or operate critical infrastructure, CI Fortify introduces several concrete requirements:

Network segmentation. OT networks must be architecturally separated from IT networks so that compromising business systems doesn’t automatically give attackers access to industrial controls. Many organizations still run flat networks where a phishing email could eventually lead to control of water treatment processes or power generation equipment.

Manual operation capability. Operators must maintain the ability to run critical processes manually — without automated systems, SCADA, or networked controls. This means training personnel in manual operations, maintaining physical controls, and ensuring that manual procedures are documented and regularly practiced.

Communication independence. Organizations need backup communication systems that don’t rely on the public internet or commercial telecommunications. This could include satellite phones, radio networks, or other independent communication channels that would survive a telecommunications disruption.

Supply chain resilience. Critical spare parts, fuel, chemicals, and other supplies needed for extended autonomous operation must be pre-positioned on-site rather than ordered just-in-time through internet-dependent supply chains.

Regular drills. CI Fortify expects organizations to regularly practice operating in isolation — actually disconnecting from networks and running on manual controls to verify that their plans work in practice, not just on paper.

The Gap Between Planning and Reality

The biggest challenge CI Fortify faces is the enormous gap between what it requires and what most infrastructure operators can actually do. Modern critical infrastructure has spent decades becoming more connected, more automated, and more dependent on cloud services. Reversing that dependency — even temporarily — is an enormous undertaking.

Many water treatment plants, for example, rely on cloud-based SCADA systems for monitoring and control. Their operators may not have been trained in manual procedures because automation has handled those functions for years. The chemical dosing systems, pump controls, and quality monitoring that keep drinking water safe are often controlled through networked systems that CI Fortify would require disconnecting during a crisis.

Similarly, hospital systems depend on electronic health records, networked medical devices, and internet-connected diagnostic equipment. Operating for weeks without these systems would require paper-based procedures that many healthcare facilities haven’t used in over a decade.

The cost of compliance will be significant. Building network segmentation, establishing manual controls, training personnel, pre-positioning supplies, and conducting regular drills all require substantial investment — investment that many cash-strapped utilities and smaller infrastructure operators may struggle to make.

A New Era of Cyber Preparedness

CI Fortify represents a paradigm shift in how the US thinks about cybersecurity for critical infrastructure. Previous CISA initiatives focused on preventing intrusions, detecting threats, and responding to incidents. CI Fortify accepts that prevention may fail and focuses instead on resilience — the ability to continue operating even after a successful attack.

This shift acknowledges an uncomfortable reality: the US cannot guarantee that it can keep nation-state hackers out of critical infrastructure networks. Groups like Volt Typhoon have proven too sophisticated, too persistent, and too deeply embedded for traditional cybersecurity defenses to reliably stop them. CI Fortify’s answer is to ensure that even if attackers get in, the consequences are manageable.

For the cybersecurity industry, CI Fortify creates enormous demand for OT security products, network segmentation solutions, manual operation training, and resilience testing services. Companies that can help critical infrastructure operators meet CI Fortify’s requirements will find a massive and growing market.

For everyday citizens, the message is sobering: the US government is actively preparing for a scenario where cyberattacks knock out basic services for weeks or months. CI Fortify isn’t about preventing inconvenience — it’s about preventing catastrophe. And the fact that CISA felt the need to launch this initiative now tells you everything you need to know about how seriously the government takes the threat.

How CISA CI Fortify Changes Cybersecurity in 2026

The CISA CI Fortify directive represents the most significant shift in US critical infrastructure cybersecurity policy since Executive Order 14028. For the first time, a federal agency is explicitly telling power plants, water treatment facilities, and transportation networks to prepare for extended periods without connectivity during a potential cyber blackout 2026 scenario. CISA’s assessment is based on intelligence suggesting that nation-state actors have pre-positioned destructive malware capable of disrupting internet backbone infrastructure.

The CISA CI Fortify technical requirements are demanding. Under CISA CI Fortify, organizations must demonstrate the ability to operate critical systems using only local control mechanisms for a minimum of 21 days. The NIST Cybersecurity Framework provides the baseline, but CI Fortify goes further in demanding offline resilience. The Department of Energy’s CESER division reports over 40% of US power facilities rely on cloud-based monitoring.

CISA CI Fortify means water utilities face similar challenges. WaterISAC reported only 23% of water treatment facilities currently meet CI Fortify requirements. The Government Accountability Office estimates compliance costs between $8-15 billion. The North American Electric Reliability Corporation has issued supplementary guidance aligned with CISA CI Fortify for air-gapped backup systems. CISA CI Fortify urgency is underscored by recent exploits: the PAN-OS zero-day exploited in the wild, the Dirty Frag Linux kernel root exploit, and the Canvas breach exposing 275 million records all demonstrate that attackers are successfully compromising enterprise and institutional systems at scale. The AI-assisted attacks documented by Mandiant and the cPanel zero-day compromising 44K servers further illustrate the evolving threat landscape.