What Happened
The US Cybersecurity and Infrastructure Security Agency released CI Fortify on May 5, 2026, a new operational resilience initiative directed at critical infrastructure operators across all 16 federally designated critical infrastructure sectors. The initiative shifts from detection-focused security guidance to a mandate for pre-built isolation and recovery capabilities.
The core premise of CI Fortify is straightforward: when a conflict-level cyberattack occurs, third-party dependencies — internet connectivity, telecommunications, vendor support, and cloud services — will become unreliable or unavailable. Operators who have not built the ability to run in isolation before that happens will lose the capacity to deliver essential services at the moment they are most needed. CISA directs operators to assume that threat actors will have some degree of access to operational technology networks during a conflict scenario, and to build recovery plans that work under that assumption.
CISA will support implementation through targeted assessments, exercises, and a pilot phase already underway with critical infrastructure entities in multiple sectors. The agency plans to scale the program across sectors as additional staffing comes online.
Why This Matters for Canadian Organizations
Canada’s critical infrastructure operators face the same strategic threat environment as their US counterparts, and the two countries’ critical infrastructure is deeply interconnected. The electrical grid, natural gas pipelines, financial clearing systems, and cross-border telecommunications networks are integrated enough that a major disruption on one side of the border affects the other. CI Fortify is not a US-only program in practice — it is guidance that Canadian operators in the same sectors should review and apply.
The timing is significant for Canada specifically. The CCCS launched CIREN — the Critical Infrastructure Resilience and Escalated Threat Navigation program — in May 2026, with an explicit mandate to conduct worst-case-scenario exercises with Canadian energy, telecommunications, transportation, and water sector operators. CI Fortify and CIREN share the same underlying logic: build isolation and recovery capability before you need it, not after an attack has already cut off your support infrastructure.
Bill C-26, Canada’s forthcoming Critical Cyber Systems Protection Act, will impose mandatory cybersecurity program requirements on designated critical infrastructure operators in the finance, telecommunications, energy, and transportation sectors. CI Fortify’s isolation and recovery capability framework is directly aligned with what Bill C-26’s forthcoming regulations are likely to require. Canadian operators who engage with CI Fortify now are building toward Bill C-26 compliance ahead of the regulatory deadline.
What to Do
Review the CI Fortify guidance published at CISA.gov and map its isolation and recovery requirements against your current operational continuity plans. Identify which of your critical operational processes depend on third-party connections — internet, vendor remote access, cloud-hosted control systems — and assess what happens to those processes if those connections become unavailable for 72 hours or more. Engage with the CCCS CIREN program if your organization operates in one of its designated sectors: energy, telecommunications, transportation, or water. Treat CI Fortify as a model for what your own resilience exercises should test.
The full CI Fortify announcement is available at CISA. Additional reporting via Cybersecurity Dive.
