CISA Resources and Guidance for US Organizations
The Cybersecurity and Infrastructure Security Agency (CISA) serves as the United States federal authority for civilian cybersecurity coordination, critical infrastructure protection, and national resilience policy. This page maps the primary resource categories CISA publishes, explains how those resources are structured for operational use, and identifies the decision points that determine which CISA programs apply to a given organization type or threat scenario. Federal contractors, critical infrastructure operators, state and local governments, and private sector security teams all interact with distinct CISA program areas.
Definition and scope
CISA was established under the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), which reorganized the former National Protection and Programs Directorate within the Department of Homeland Security into a standalone operational agency. Its statutory mandate covers 16 critical infrastructure sectors, as designated by Presidential Policy Directive 21 (PPD-21), including energy, water systems, healthcare, financial services, transportation, and communications.
CISA's resource portfolio spans four functional domains:
- Vulnerability and threat advisories — Alerts, advisories, and the Known Exploited Vulnerabilities (KEV) Catalog, which lists actively exploited CVEs that federal civilian agencies are required to patch within mandated timeframes under Binding Operational Directive 22-01.
- Frameworks and guidance documents — Sector-specific guides, zero trust maturity models, and cross-sector cybersecurity performance goals.
- Operational services — Vulnerability scanning, incident response coordination, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) partnership.
- Training and exercises — Free courseware, tabletop exercise packages, and the Cybersecurity Advisor program for state and local entities.
The agency's authority over private sector entities is primarily advisory rather than regulatory, with enforcement authority limited to federal civilian executive branch networks under directives like BOD 22-01. Interaction with US cybersecurity regulations and compliance frameworks from other agencies — including NIST, the FTC, and sector-specific regulators — operates in parallel with CISA guidance.
How it works
CISA distributes resources through cisa.gov using a tiered publication model that distinguishes between mandatory federal requirements and voluntary sector guidance.
For federal civilian agencies, CISA issues Binding Operational Directives (BODs) and Emergency Directives (EDs) that carry legal weight under 44 U.S.C. § 3553. BOD 23-01, for example, required federal agencies to implement asset discovery and vulnerability enumeration on a 14-day cycle by April 3, 2023 (CISA BOD 23-01).
For critical infrastructure operators and private sector organizations, CISA publishes Cross-Sector Cybersecurity Performance Goals (CPGs), released in October 2022, which define a baseline set of practices applicable across all 16 sectors. The CPGs are voluntary but are increasingly referenced in sector-specific regulatory rulemaking by agencies such as the Transportation Security Administration (TSA) and the Environmental Protection Agency (EPA).
For state, local, tribal, and territorial (SLTT) governments, CISA administers the Cybersecurity State Coordinator program and funds MS-ISAC membership, which provides 24/7 security operations center support, threat intelligence feeds, and incident response coordination. The Security Operations Center functions that SLTT entities access through MS-ISAC mirror private-sector SOC capabilities without requiring independent infrastructure investment.
The CISA Known Exploited Vulnerabilities Catalog directly informs vulnerability management lifecycle programs. As of its operational structure, the catalog assigns specific remediation deadlines — typically 2 weeks for actively exploited vulnerabilities in federal environments — and serves as an authoritative prioritization signal for private sector patch management programs.
Common scenarios
Scenario 1: Federal contractor seeking BOD compliance alignment
Federal contractors operating systems that process federal data are not directly bound by BODs, but their agency clients reference BOD requirements in contract vehicles and Authority to Operate (ATO) processes under FedRAMP and FISMA. A contractor aligns its patch cadence with KEV catalog timelines and maps controls to NIST SP 800-53 to support ATO documentation. The FedRAMP overview details the authorization framework that intersects with CISA directives for cloud service providers.
Scenario 2: Hospital system responding to a CISA health sector advisory
Healthcare organizations receive sector-specific advisories through the Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) and CISA joint alerts. When CISA and HHS release a joint advisory on ransomware targeting healthcare, the hospital's security team cross-references the MITRE ATT&CK Framework techniques listed in the advisory against its detection rules. CISA's Stop Ransomware resources at stopransomware.gov provide sector-specific playbooks for this scenario.
Scenario 3: State government entity applying for CISA assessment services
State agencies can request free CISA Cyber Hygiene (CyHy) services, which include external attack surface scanning and web application assessments. Enrollment is voluntary and conducted through the CISA Regional office network. Results feed into the state's incident response framework planning.
Decision boundaries
The primary distinction in applying CISA resources is the mandatory vs. voluntary boundary:
| Entity Type | CISA Instrument | Binding? |
|---|---|---|
| Federal civilian executive agency | Binding Operational Directives, Emergency Directives | Yes |
| Federal contractor (non-FCEB) | BOD-aligned contract clauses | Contractually |
| Critical infrastructure operator | CPGs, Sector Risk Management Agency guidance | No |
| SLTT government | MS-ISAC, Cybersecurity State Coordinator | No |
| Private sector (non-CI) | Advisories, free scanning services | No |
A secondary decision boundary involves sector affiliation. Organizations operating in sectors with sector-specific Cybersecurity Performance Goals — such as water utilities subject to EPA cybersecurity requirements or pipeline operators under TSA Security Directives — face a layered structure where CISA guidance intersects with sector regulator mandates. In those cases, the CISA CPG functions as a floor, while the sector regulator's directive may impose additional or more specific controls.
Organizations assessing third-party risk exposure should cross-reference CISA's supply chain risk management guidance alongside their internal third-party vendor risk programs. CISA's ICT Supply Chain Risk Management Task Force, established under PPD-21, publishes sector-specific frameworks that complement ISO/IEC 27036 and NIST SP 800-161.
For organizations building or benchmarking internal security programs, CISA's Cybersecurity Performance Goals align with and reference the NIST Cybersecurity Framework, providing a direct mapping between voluntary federal guidance and the broader cybersecurity frameworks and standards landscape.
References
- Cybersecurity and Infrastructure Security Agency (CISA) — Official Site
- CISA Known Exploited Vulnerabilities Catalog
- CISA Binding Operational Directive 22-01
- CISA Binding Operational Directive 23-01
- CISA Cybersecurity Performance Goals (CPGs)
- CISA Stop Ransomware Resources
- CISA Supply Chain Risk Management
- Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278)
- Presidential Policy Directive 21 (PPD-21)
- 44 U.S.C. § 3553 — Federal Cybersecurity Authority
- NIST SP 800-53 — Security and Privacy Controls for Information Systems
- NIST SP 800-161 — Cybersecurity Supply Chain Risk Management Practices