CISA Resources and Programs for US Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) operates as the primary federal body responsible for protecting US critical infrastructure and coordinating national cybersecurity defense. This page maps the principal programs, tools, and services CISA makes available to public agencies, private sector operators, and critical infrastructure owners. Understanding the scope of CISA's offerings is essential for organizations assessing their obligations and capabilities under the US cybersecurity regulatory framework.

Definition and scope

CISA was established under the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), elevating the former National Protection and Programs Directorate within the Department of Homeland Security into a standalone operational agency. Its statutory mandate covers three primary domains: cybersecurity risk reduction, physical infrastructure security, and emergency communications resilience.

CISA's jurisdiction extends across 16 critical infrastructure sectors designated by Presidential Policy Directive 21 (PPD-21), ranging from energy and financial services to healthcare and water systems. The agency functions as a coordinator and capability provider rather than an enforcement body — it does not impose penalties but works alongside sector-specific regulators such as FERC, HHS, and CISA-designated Sector Risk Management Agencies (SRMAs). Organizations operating in critical infrastructure protection contexts interact most directly with CISA's sector-specific coordination channels.

Participation in most CISA programs is voluntary for private sector entities. Federal civilian agencies are subject to binding operational directives (BODs) and emergency directives (EDs) issued by CISA under authority granted by the Federal Information Security Modernization Act of 2014 (FISMA, 44 U.S.C. § 3553).

How it works

CISA delivers services through four primary operational channels:

1. Assessments and tools — CISA provides no-cost vulnerability scanning, penetration testing, and cybersecurity hygiene assessments to eligible organizations. The Cyber Hygiene (CyHy) service scans internet-accessible assets and delivers weekly vulnerability reports. The Risk and Vulnerability Assessment (RVA) program conducts on-site or remote assessments using a standardized methodology across 10 attack technique categories aligned to the MITRE ATT&CK framework.

2. Threat intelligence and information sharing — CISA operates the Automated Indicator Sharing (AIS) program, which distributes machine-readable threat indicators in STIX/TAXII format. The Multi-State Information Sharing and Analysis Center (MS-ISAC), supported by CISA funding, extends this capability to state, local, tribal, and territorial (SLTT) governments. Organizations managing cyber threat intelligence sources integrate AIS feeds alongside sector-specific ISACs.

3. Incident response support — CISA maintains a 24/7 Operations Center and deploys Cybersecurity Advisors (CSAs) regionally across all 10 federal regions. When a significant incident occurs, CISA can deploy Hunt and Incident Response Teams (HIRT) at no cost to affected organizations. The Cyber Safety Review Board (CSRB), housed within CISA, conducts post-incident reviews of major events affecting federal or critical infrastructure systems. For organizations building internal capabilities, incident response standards outlines the frameworks that govern this discipline.

4. Guidance and standards development — CISA publishes binding and advisory guidance documents, including BODs for federal agencies, Known Exploited Vulnerabilities (KEV) catalog entries, and joint advisories co-authored with NSA, FBI, and international partners. The KEV catalog, first published in November 2021, listed over 1,000 vulnerabilities by mid-2023 (CISA KEV Catalog).

Common scenarios

Federal civilian agencies use CISA services primarily through compliance obligations. BOD 22-01 (issued November 2021) requires federal agencies to remediate KEV catalog entries within defined windows — 2 weeks for actively exploited vulnerabilities and 6 months for lower-priority entries (CISA BOD 22-01). Agencies also implement CISA's Continuous Diagnostics and Mitigation (CDM) program, which provides hardware and software asset visibility tools at no cost.

State and local governments access CISA services through the MS-ISAC partnership and through State and Local Cybersecurity Grant Program (SLCGP) funding. The Infrastructure Investment and Jobs Act of 2021 authorized $1 billion over 4 years for SLCGP grants administered through CISA (CISA SLCGP). Recipients must develop a Cybersecurity Plan as a condition of funding. Detailed program parameters are covered under cybersecurity grant programs.

Critical infrastructure operators in sectors such as energy, healthcare, and manufacturing engage CISA through sector-specific coordination councils and can request RVAs, physical security assessments, and access to the Industrial Control Systems security program. CISA's ICS-CERT (now integrated into CISA's main operations) publishes advisories for operational technology vulnerabilities distinct from IT system weaknesses. The industrial control systems security landscape maps the technical standards governing OT environments.

Small businesses and nonprofits are not excluded from CISA programs, though the CyHy scanning service prioritizes federal and critical infrastructure targets. CISA's free resources for smaller organizations include the Cyber Essentials toolkit — a six-pillar baseline framework — and the small business cybersecurity resources ecosystem that aggregates CISA and NIST guidance in accessible formats.

Decision boundaries

The key distinction governing how an organization interacts with CISA is its classification as a federal civilian executive branch agency versus a private sector or SLTT entity.

• Federal agencies are subject to mandatory CISA directives under FISMA. Compliance timelines, reporting obligations under CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022), and CDM participation are non-optional.
• Critical infrastructure owners (private sector) operate under voluntary coordination frameworks unless sector-specific regulators impose parallel mandatory requirements. CIRCIA, once finalized through rulemaking, will require covered entities to report substantial incidents within 72 hours and ransomware payments within 24 hours (CISA CIRCIA overview).
• SLTT governments occupy a middle position — SLCGP grant recipients accept mandatory planning conditions but are not subject to federal BODs.

Organizations determining whether CISA's vulnerability disclosure programs or cybersecurity reporting obligations apply to their operations must first establish their sector classification under PPD-21 and their federal vs. non-federal status.

References

• CISA Official Site — Programs and Services
• CISA Known Exploited Vulnerabilities Catalog
• CISA Binding Operational Directive 22-01
• CISA State and Local Cybersecurity Grant Program
• CISA CIRCIA Overview
• Cybersecurity and Infrastructure Security Agency Act of 2018, Public Law 115-278
• Presidential Policy Directive 21 (PPD-21), White House Archives
• FISMA 2014, 44 U.S.C. § 3553
• MS-ISAC, Center for Internet Security
• MITRE ATT&CK Framework