Introduction: Critical Infrastructure and National Security

Critical infrastructure organizations—including electric power systems, natural gas pipelines, water utilities, telecommunications networks, transportation systems, and other sectors vital to national security and economic stability—face regulatory requirements designed to ensure resilience, continuity, and rapid recovery from disruptions. These requirements reflect the national security imperative to maintain functioning infrastructure that supports all other economic and social activities.

This guide explores the major regulatory frameworks governing critical infrastructure business continuity, including requirements from the Cybersecurity and Infrastructure Security Agency (CISA), the North American Electric Reliability Corporation (NERC), and the Critical Infrastructure Resilience Act (CIRCIA).

Cybersecurity and Infrastructure Security Agency (CISA) Framework

CISA, established within the Department of Homeland Security, serves as the federal focal point for critical infrastructure protection and resilience. CISA issues guidance and establishes requirements for critical infrastructure owners and operators through Sector-Specific Agencies (SSAs).

CISA Authority and Mission

CISA’s authority derives from:

• Homeland Security Act of 2002 (6 U.S.C. § 101 et seq.)
• CISA Act of 2018 (6 U.S.C. § 1501 et seq.), establishing CISA as independent agency
• Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience
• Executive Order 13636 on Improving Critical Infrastructure Cybersecurity
• National Infrastructure Protection Plan (NIPP) 2013 framework

CISA Resilience Guidelines

CISA has issued comprehensive guidance on critical infrastructure resilience through multiple frameworks:

Cybersecurity Framework (CSF)

CISA adopted and regularly updates the NIST Cybersecurity Framework, a voluntary framework for managing cybersecurity risk that includes business continuity considerations:

• Identify: Understanding critical assets, systems, and dependencies
• Protect: Implementing safeguards to protect critical systems
• Detect: Detecting cybersecurity events affecting critical systems
• Respond: Taking action in response to detected cybersecurity events
• Recover: Recovering from cybersecurity incidents and restoring services

Infrastructure Resilience Assessment Methodology

• Asset Identification: Comprehensive inventory of critical assets and interdependencies
• Vulnerability Assessment: Systematic evaluation of vulnerabilities to cyber, physical, and natural hazards
• Impact Analysis: Assessment of potential impacts of loss or degradation of critical assets
• Resilience Strategy: Development of strategies to mitigate identified risks and enhance resilience
• Testing and Validation: Regular testing of resilience capabilities and recovery procedures

Sector-Specific Guidance

CISA coordinates with Sector-Specific Agencies responsible for different infrastructure sectors:

• Energy Sector: Department of Energy oversees electric power and oil/natural gas
• Water Sector: Environmental Protection Agency oversees water and wastewater systems
• Communications Sector: Federal Communications Commission coordinates with industry
• Transportation Sector: Department of Transportation oversees rail, aviation, and highway
• Financial Services Sector: Coordinated with Treasury Department and banking regulators

CISA Coordination and Information Sharing

CISA coordinates critical infrastructure protection and resilience through:

• Automated Indicator Sharing (AIS): Free sharing of cybersecurity indicators with infrastructure organizations
• Information Sharing and Analysis Centers (ISACs): Sector-specific information sharing organizations coordinating with CISA
• Critical Infrastructure Resilience Institute (CIRI): Research center for developing resilience strategies
• Exercises and Tabletops: Coordinated exercises testing infrastructure resilience and emergency response

NERC Critical Infrastructure Protection (CIP) Standards

The North American Electric Reliability Corporation (NERC) is a self-regulatory organization subject to oversight by the Federal Energy Regulatory Commission (FERC). NERC develops and enforces reliability standards applicable to owners, operators, and users of bulk power systems.

NERC Authority and Jurisdiction

NERC’s authority derives from:

• Federal Power Act § 215, which authorized FERC to approve reliability standards
• Order 672 (18 CFR Part 39), which approved NERC as the Electric Reliability Organization (ERO)
• NERC Rules of Procedure establishing standards development and enforcement procedures
• Regional Transmission Organizations (RTOs) and Independent System Operators (ISOs) that delegate compliance monitoring

NERC CIP Standards for Business Continuity

NERC has developed comprehensive CIP standards addressing critical infrastructure protection for bulk power systems. Key standards addressing business continuity include:

CIP-007-6: Systems Security Management

• Backup and Recovery: Requirements for backup and recovery systems protecting against data loss
• Recovery Plans: Documented procedures for recovering critical systems within specified timeframes
• Redundant Systems: Requirements for redundant systems supporting critical bulk power system operations
• Testing Requirements: Annual testing of backup and recovery systems

CIP-009-6: Configuration and Vulnerability Management

• Configuration Documentation: Comprehensive documentation of critical systems configurations
• Change Management: Procedures for managing changes to critical system configurations
• Recovery Documentation: Documentation supporting recovery of critical systems
• Secure Configuration: Procedures ensuring systems are securely configured

CIP-010-2: Configuration and Vulnerability Management (Physical)

• Physical Security: Controls protecting critical systems from physical access and sabotage
• Facility Security: Security measures at facilities housing critical systems
• Perimeter Protection: Fencing, gates, and access controls around critical facilities
• Recovery Capability: Physical redundancy supporting rapid recovery from physical damage

CIP-013-1: Supply Chain Risk Management

• Supply Chain Risk Assessment: Evaluation of supply chain vulnerabilities affecting critical systems
• Vendor Due Diligence: Assessment of critical vendors’ security and resilience capabilities
• Contingency Planning: Plans addressing vendor disruptions or security failures
• Supplier Agreements: Contractual requirements specifying security and resilience expectations

NERC Enforcement and Compliance

NERC enforces CIP standards through:

• Compliance Audits: Regular audits of regulated entities’ compliance with CIP standards
• Spot Checks: Unannounced compliance verification activities
• Violation Assessment: Evaluation of violations and severity levels
• Penalties: Monetary penalties up to $1 million per day for violations, with enhanced penalties for cyber-critical violations

NERC Standards Development

NERC continuously updates CIP standards to address emerging threats and technological changes. Organizations should:

• Monitor NERC standards development activities for proposed changes
• Participate in comment periods on proposed standards
• Implement new standards within required implementation periods (typically 24 months)
• Update compliance procedures as standards evolve

Critical Infrastructure Resilience Act (CIRCIA)

The Critical Infrastructure Resilience Act (CIRCIA), enacted in 2024, establishes enhanced resilience requirements for high-risk critical infrastructure sectors and creates new mechanisms for federal coordination and information sharing.

CIRCIA Scope and Applicability

CIRCIA applies to organizations designated as “covered critical infrastructure” based on:

• Sector designation (energy, water, communications, transportation, financial services, and others)
• Criticality assessment by federal agencies and sector partners
• Assessment of potential consequences of service disruption
• Vulnerability to deliberate attacks, natural disasters, and operational failures

CIRCIA Resilience Requirements

CIRCIA establishes enhanced requirements for covered critical infrastructure:

Resilience Assessments

• Periodic Assessments: Annual or biennial assessments of critical infrastructure resilience
• Assessment Scope: Comprehensive evaluation including cyber, physical, and operational resilience
• Interdependency Analysis: Assessment of dependencies on other infrastructure sectors
• Recovery Capability Assessment: Evaluation of ability to recover from severe disruptions
• Stakeholder Engagement: Assessment development should engage relevant federal agencies and partners

Enhanced Reporting Requirements

• Resilience Plans: Submission of detailed resilience plans to relevant federal agencies
• Incident Reporting: Reporting of significant disruptions and security incidents to CISA
• Resilience Metrics: Regular reporting of resilience-related metrics and performance indicators
• Third-Party Risk Reporting: Reporting of material risks posed by critical vendors and service providers

Information Sharing and Coordination

• CISA Coordination: Enhanced coordination with CISA on resilience planning and incident response
• Sector Coordination: Regular information sharing with sector partners through ISACs
• Federal Agency Coordination: Engagement with relevant federal agencies on resilience and security matters
• Public-Private Partnership: Participation in public-private partnerships addressing critical infrastructure resilience

Testing and Validation

• Resilience Testing: Regular testing of critical infrastructure systems and recovery procedures
• Scenario-Based Testing: Testing using severe but plausible disruption scenarios
• Coordinated Exercises: Participation in federal exercises testing sector resilience and recovery
• Results Documentation: Comprehensive documentation of testing results and findings

CIRCIA Enforcement

CIRCIA establishes enforcement mechanisms for critical infrastructure resilience requirements:

• Federal Authority: CISA and Sector-Specific Agencies have authority to enforce resilience requirements
• Compliance Assessments: Regular assessments of resilience plan implementation and compliance
• Remediation Requirements: Identified deficiencies must be remediated within specified timeframes
• Escalated Enforcement: Failure to remediate deficiencies can result in regulatory escalation and potential operational restrictions

Sector-Specific Continuity Requirements

Beyond overarching frameworks, different critical infrastructure sectors have specific regulatory requirements addressing their unique characteristics and vulnerabilities:

Energy Sector Requirements

• NERC CIP Standards: Comprehensive standards for bulk power system reliability and security
• FERC Order 907: Requirements for grid services from demand response, storage, and distributed energy resources
• Energy Security and Resilience Initiative (ESRI): Department of Energy programs supporting resilience initiatives
• Oil and Natural Gas Sector: Coordinated security and resilience requirements for oil and natural gas infrastructure

Water Sector Requirements

• Safe Drinking Water Act: Security and emergency response requirements for drinking water systems
• Water Infrastructure Finance and Innovation Act (WIFIA): Financing support for resilience projects
• EPA Guidance: Environmental Protection Agency guidance on water system resilience and emergency preparedness
• State Requirements: State drinking water and wastewater regulations

Communications Sector Requirements

• FCC Declaratory Ruling on Cybersecurity: FCC requirements for telecommunications carrier network security
• Network Redundancy: Requirements for redundant telecommunications networks supporting emergency response
• Emergency Access: Requirements ensuring emergency services access to communications infrastructure during disruptions
• Data Protection: Requirements for protecting customer communications and network data

Transportation Sector Requirements

• Pipeline and Hazardous Materials Safety Administration (PHMSA): Hazardous liquids pipeline safety and security requirements
• Federal Railroad Administration (FRA): Rail system security and emergency response requirements
• Federal Aviation Administration (FAA): Airport security and operations continuity requirements
• Maritime Administration (MARAD): Port security and maritime domain awareness requirements

Financial Services Sector Requirements

• Banking Regulator Requirements: Federal Reserve, OCC, FDIC business continuity requirements discussed in earlier sections
• Securities Exchange Requirements: SEC requirements for critical market infrastructure
• Payment Systems: Requirements for payment system operators ensuring continuity of critical payment services

Critical Infrastructure Dependencies and Interdependencies

Critical infrastructure organizations are increasingly dependent on other infrastructure sectors. Business continuity planning must address interdependencies with:

Power System Dependency

• Water treatment and distribution systems dependent on electric power
• Communications systems dependent on backup power during grid outages
• Transportation systems (rail, subway systems) dependent on electric power
• Financial services dependent on electric power for data centers and operations

Communications Infrastructure Dependency

• All critical infrastructure sectors dependent on telecommunications for operational coordination
• Power systems dependent on SCADA communications
• Transportation systems dependent on traffic control and operational communications
• Emergency response dependent on 911 and first responder communications

Supply Chain Interdependencies

• Dependencies on critical component suppliers
• Dependencies on specialized maintenance and repair services
• Dependencies on transportation for fuel and supply delivery
• Dependencies on financial institutions for operational funding

Continuity Planning Approach

Business continuity plans should address interdependencies through:

• Comprehensive mapping of critical dependencies on other infrastructure sectors
• Coordination with dependent infrastructure operators on resilience and recovery
• Redundancy and backup systems to mitigate critical dependencies
• Regular engagement with infrastructure partners on resilience issues
• Scenario-based exercises testing recovery under conditions of dependent infrastructure disruption

Integration with Business Continuity and Risk Management

Critical infrastructure continuity compliance builds upon fundamental frameworks covered in related guides:

• Business Continuity Planning: Complete Professional Guide provides foundational BC&DR planning principles applicable within critical infrastructure frameworks
• Risk Assessment: Complete Professional Guide details the business impact analysis and risk assessment processes essential for critical infrastructure planning
• Regulatory Compliance for Business Continuity: The Complete Professional Guide (2026) surveys regulatory requirements across all sectors
• Operational Resilience: Complete Professional Guide explores emerging resilience frameworks increasingly required for critical infrastructure

Frequently Asked Questions

FAQ 1: What is the difference between CISA guidance and NERC CIP standards?

CISA guidance is generally voluntary (though sometimes adopted by Sector-Specific Agencies), providing recommended practices for critical infrastructure resilience. NERC CIP standards are mandatory enforceable requirements developed by the Electric Reliability Organization and subject to Federal Energy Regulatory Commission approval. Violations of NERC standards can result in substantial monetary penalties. Other critical infrastructure sectors may have a mix of mandatory requirements (like CISA orders) and voluntary guidance (like general CISA resilience guidance).

FAQ 2: How does CIRCIA change critical infrastructure resilience requirements?

CIRCIA establishes enhanced and more formalized resilience requirements for covered critical infrastructure, including mandatory resilience assessments, enhanced federal reporting requirements, and strengthened coordination mechanisms with CISA. CIRCIA creates enforceable requirements for covered critical infrastructure beyond voluntary compliance with CISA guidance, though specific requirements vary by sector and are still being implemented through regulatory processes.

FAQ 3: What is meant by “critical infrastructure interdependencies” and how should they be addressed in business continuity planning?

Critical infrastructure interdependencies are dependencies of one infrastructure sector on services provided by another sector (e.g., water systems dependent on electric power). Business continuity planning should identify critical dependencies, assess the impact of disruption of dependent infrastructure, develop mitigation strategies including redundancy and backup systems, and coordinate with infrastructure partners on resilience planning. Scenario-based testing should include scenarios involving disruption of dependent infrastructure.

FAQ 4: How frequently should critical infrastructure organizations test their business continuity plans?

NERC CIP standards generally require annual testing of backup and recovery systems at minimum. CISA guidance recommends more frequent testing, typically quarterly or semi-annual for critical systems. CIRCIA and sector-specific requirements may require annual resilience assessments including testing. Most critical infrastructure organizations conduct continuous or frequent component testing plus annual or semi-annual full-scale exercises to ensure comprehensive testing coverage.

FAQ 5: What is the role of Sector-Specific Agencies in critical infrastructure continuity?

Sector-Specific Agencies (such as Department of Energy for energy sector, EPA for water sector, etc.) develop sector-specific requirements, coordinate with industry on resilience initiatives, and often serve as regulatory authority for sector-specific requirements. They work with CISA to ensure coherent federal approach to critical infrastructure resilience, and many conduct resilience assessments and exercises within their sectors.

FAQ 6: How should critical infrastructure organizations address supply chain risk in business continuity planning?

Supply chain risk should be addressed through comprehensive assessment of critical suppliers and vendors, evaluation of their resilience and continuity capabilities, development of contractual requirements specifying resilience expectations, regular auditing of supplier compliance with continuity requirements, and identification of alternative suppliers for critical products and services. Organizations should maintain strategic inventory of critical materials and establish relationships with backup suppliers to mitigate supply chain disruptions.