CISA Resources and Guidance for US Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) functions as the primary federal civilian authority for cybersecurity guidance, threat intelligence, and operational assistance directed at US public and private sector organizations. CISA's resource portfolio spans free diagnostic tools, binding operational directives, sector-specific advisories, and incident response coordination. Understanding how these resources are structured — and which apply to specific organizational contexts — is foundational for compliance planning, infrastructure protection, and incident preparedness across all 16 critical infrastructure sectors recognized by the federal government.

Definition and scope

CISA was established by the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), which reorganized the former National Protection and Programs Directorate (NPPD) within the Department of Homeland Security into a standalone operational agency. CISA's statutory mandate covers three interlocking domains: cybersecurity, infrastructure security, and emergency communications resilience.

Within the cybersecurity domain specifically, CISA produces guidance targeting four distinct audience categories:

Federal civilian executive branch (FCEB) agencies — subject to binding directives under CISA's authority, including Emergency Directives (EDs) and Binding Operational Directives (BODs).
State, local, tribal, and territorial (SLTT) governments — eligible for no-cost assessments, grant-funded programs, and tailored threat briefings.
Critical infrastructure owners and operators — receive sector-specific advisories coordinated through 16 Sector Risk Management Agencies (SRMAs) as designated under Presidential Policy Directive 21 (PPD-21).
Private sector organizations broadly — access voluntary resources including the Known Exploited Vulnerabilities (KEV) catalog, free scanning services, and published playbooks.

The scope of CISA guidance does not carry legal enforcement authority over private entities unless those entities are FCEB agencies or operate under sector-specific federal regulations (such as Transportation Security Administration security directives for pipeline operators). Voluntary adoption governs the majority of CISA's resource library for non-federal users. Organizations seeking a broader orientation to how this directory categorizes cyber service providers and resources can review the Cyber Safety Listings for additional context.

How it works

CISA operates through a tiered dissemination model that separates mandatory obligations from recommended practices.

Binding Operational Directives apply exclusively to FCEB agencies. BOD 22-01, issued in November 2021, requires FCEB agencies to remediate all vulnerabilities listed in the KEV catalog within specified timeframes — typically 14 days for actively exploited vulnerabilities with known patches. The KEV catalog contained more than 1,100 entries as of its multi-year publication history, drawing from CVE (Common Vulnerabilities and Exposures) records maintained by MITRE.

Cybersecurity Advisories (CSAs) are published jointly with partner agencies including the FBI, NSA, and international counterparts such as NCSC-UK. These advisories document active threat actor tactics, techniques, and procedures (TTPs) mapped to the MITRE ATT&CK framework, enabling organizations to align defensive controls with documented adversary behavior.

Free Cybersecurity Services represent a distinct operational channel. CISA administers the Cyber Hygiene Vulnerability Scanning service, which conducts external-facing network scans for enrolled organizations and delivers weekly reports identifying internet-accessible vulnerabilities. Enrollment is open to all organizations and does not require federal affiliation.

Shields Up is CISA's public-facing alert posture framework, activated during periods of elevated national threat levels. It consolidates recommended actions into tiered guidance for executives, IT staff, and critical infrastructure operators independently.

The CISA Cybersecurity Framework references align with NIST CSF 2.0, published in 2024, which organizes cybersecurity functions under six categories: Govern, Identify, Protect, Detect, Respond, and Recover. CISA publications map consistently to these functions, allowing organizations to cross-reference CISA guidance with their existing NIST-aligned programs. Professionals navigating the broader structure of this cyber safety reference site can consult the Directory Purpose and Scope page for orientation.

Common scenarios

Three organizational scenarios reflect how CISA resources enter operational use:

Scenario 1 — Post-incident federal notification. Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), covered entities in critical infrastructure sectors will be required to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CIRCIA's implementing rules were in rulemaking as of the statute's passage; the final rule will define "covered entity" thresholds and reportable incident categories. CISA's incident reporting portal serves as the submission point pending full CIRCIA implementation.

Scenario 2 — Pre-assessment for SLTT organizations. State and local governments can request a no-cost Cybersecurity Performance Goals (CPG) assessment. The CPGs, released in October 2022, identify a prioritized subset of 37 practices drawn from NIST CSF and other standards, sequenced by implementation effort and impact. SLTT entities use CPG results to prioritize remediation and document compliance posture for federal grant applications, including those under the State and Local Cybersecurity Grant Program authorized under the Infrastructure Investment and Jobs Act of 2021.

Scenario 3 — Vulnerability disclosure coordination. Organizations operating public-facing systems can engage CISA's Coordinated Vulnerability Disclosure process. CISA operates as a coordination intermediary between researchers identifying vulnerabilities and affected vendors or asset owners, particularly when the affected systems belong to critical infrastructure operators.

Decision boundaries

Not all CISA resources apply uniformly. The key classification boundary separates mandatory from voluntary instruments:

Resource Type	Applies To	Enforcement Mechanism
Binding Operational Directives (BODs)	FCEB agencies only	DHS/CISA authority under 44 U.S.C. § 3553
Emergency Directives (EDs)	FCEB agencies only	Same statutory authority
CIRCIA Reporting (when finalized)	Covered critical infrastructure entities	Civil penalties under statute
Cybersecurity Advisories	All organizations	Voluntary
KEV Catalog	FCEB agencies (mandatory); all others (recommended)	BOD 22-01 for FCEB only
Free Scanning / Hygiene Services	All organizations	Voluntary enrollment
Cybersecurity Performance Goals	SLTT, critical infrastructure	Voluntary; tied to grant eligibility

A second boundary separates sector-specific obligations from general guidance. Healthcare organizations, for example, must align with HHS 405(d) guidance and the HIPAA Security Rule (45 CFR Part 164) in addition to any applicable CISA advisories. Financial institutions remain subject to FFIEC and SEC cybersecurity rules independent of CISA guidance. CISA resources supplement but do not replace sector regulator requirements.

Organizations uncertain about which CISA instruments apply to their classification should map their operations against the 16 critical infrastructure sectors defined in PPD-21, identify their SRMA, and then cross-reference applicable CIRCIA covered entity definitions once the final rule is published. The How to Use This Cyber Safety Resource page provides additional guidance on navigating the categories used within this reference network.

References

📜 5 regulatory citations referenced · ✅ Citations verified Feb 26, 2026 · View update log