Cybersecurity for Critical Infrastructure Sectors in the US

Federal designation of critical infrastructure creates a distinct regulatory and operational tier within the broader US cybersecurity landscape. Sixteen sectors — from energy and water systems to financial services and healthcare — face specific federal oversight, sector-specific frameworks, and mandatory or voluntary security standards enforced through a network of agencies and sector risk management authorities (SRMAs). This page maps that sector structure, the regulatory bodies that govern it, the operational mechanisms for protection, and the decision thresholds that differentiate compliance obligations across sectors. Professionals navigating this landscape through resources such as the Smart Security Listings will encounter sector-specific licensing expectations and service provider qualifications rooted in these frameworks.

Definition and scope

Critical infrastructure cybersecurity in the US is organized under the authority established by Presidential Policy Directive 21 (PPD-21), which designates 16 critical infrastructure sectors and assigns each a federal Sector Risk Management Authority. The Cybersecurity and Infrastructure Security Agency (CISA) holds cross-sector coordination authority under the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278).

The 16 designated sectors are:

  1. Chemical
  2. Commercial Facilities
  3. Communications
  4. Critical Manufacturing
  5. Dams
  6. Defense Industrial Base
  7. Emergency Services
  8. Energy
  9. Financial Services
  10. Food and Agriculture
  11. Government Facilities
  12. Healthcare and Public Health
  13. Information Technology
  14. Nuclear Reactors, Materials, and Waste
  15. Transportation Systems
  16. Water and Wastewater Systems

Each sector operates under a distinct SRMA — the Department of Energy for the Energy sector, the Department of Health and Human Services for Healthcare and Public Health, the Department of the Treasury for Financial Services, and so forth. The SRMA relationship determines which agency issues sector-specific guidance, coordinates incident response, and interfaces with CISA on cross-sector dependencies.

Mandatory cybersecurity requirements are not uniform across all 16 sectors. The Energy sector, for example, operates under binding NERC Critical Infrastructure Protection (CIP) standards enforced by the North American Electric Reliability Corporation. Healthcare entities covered by HIPAA face enforceable Security Rule requirements administered by the HHS Office for Civil Rights. By contrast, the Water and Wastewater sector relies primarily on voluntary frameworks and CISA guidance, though the America's Water Infrastructure Act of 2018 introduced mandatory risk and resilience assessments for water systems serving populations above 3,300.

How it works

Protection of critical infrastructure cybersecurity operates through a layered structure combining federal mandates, sector-specific technical standards, and voluntary adoption of the NIST Cybersecurity Framework (CSF). CISA's role is primarily coordinative — it does not regulate most private-sector owners directly but provides threat intelligence, vulnerability scanning (through its free Cyber Hygiene service), and incident response coordination.

The operational cycle follows five phases aligned to the NIST CSF's five functions:

  1. Identify — Asset inventory, risk assessment, and supply chain mapping. For regulated sectors, this phase produces documented outputs that satisfy SRMA audit requirements (e.g., NERC CIP-002 asset categorization).
  2. Protect — Implementation of access controls, patch management, network segmentation, and encryption. NIST SP 800-82 provides sector-specific guidance for industrial control systems (ICS) and operational technology (OT) environments.
  3. Detect — Continuous monitoring, intrusion detection, and anomaly identification. The CISA Continuous Diagnostics and Mitigation (CDM) Program supports federal agencies; private-sector equivalents vary by sector.
  4. Respond — Incident response planning and execution. Mandatory reporting timelines apply in certain sectors: the TSA cybersecurity directives for pipeline and rail operators require reporting to CISA within 24 hours of a significant cyber incident.
  5. Recover — Restoration of systems and services, post-incident review, and framework updates.

Operational technology (OT) and industrial control systems (ICS) introduce a distinct security architecture from traditional IT environments. OT systems prioritize availability and physical safety over confidentiality, which inverts the standard CIA triad hierarchy and requires differentiated controls — a contrast central to sector-specific frameworks like ICS-CERT advisories and NIST SP 800-82.

Common scenarios

Energy sector — NERC CIP compliance: Bulk electric system operators must classify assets under NERC CIP-002, then apply controls scaled to impact level (High, Medium, Low). High-impact assets face requirements across 13 CIP standards covering electronic security perimeters, physical security, configuration management, and incident reporting.

Healthcare — HIPAA Security Rule audit: A hospital system subject to 45 CFR Part 164 must conduct an enterprise-wide risk analysis, implement technical safeguards for electronic protected health information (ePHI), and maintain audit logs. HHS OCR enforcement actions have resulted in resolution agreements exceeding $1 million for documented failures in risk analysis (HHS OCR Resolution Agreements, public record).

Water systems — AWIA assessments: Community water systems serving more than 3,300 persons must certify completion of a risk and resilience assessment and an emergency response plan to the EPA Administrator under the America's Water Infrastructure Act of 2018 (33 U.S.C. § 300i-2).

Financial services — FFIEC and GLBA: Banks and credit unions follow cybersecurity examination standards from the Federal Financial Institutions Examination Council (FFIEC) and the Gramm-Leach-Bliley Act Safeguards Rule (updated by FTC in 2023 for non-bank financial institutions, 16 CFR Part 314).

Decision boundaries

Determining which framework governs a specific organization requires resolving three boundary questions:

Mandatory vs. voluntary: NERC CIP, TSA pipeline/rail directives, HIPAA Security Rule, and FFIEC examination standards carry enforcement authority. The NIST CSF and CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are voluntary for private-sector entities outside those regulatory perimeters — though CISA positions CPGs as a baseline reference for all 16 sectors (CISA Cross-Sector CPGs).

IT vs. OT scope: An energy company's corporate IT network and its SCADA-connected generation control system face different control baselines. NERC CIP explicitly scopes to bulk electric system cyber assets; NIST SP 800-82 addresses ICS/OT broadly. Organizations operating both environments must maintain parallel compliance programs with distinct asset registers.

Sector overlap: A hospital that also operates a natural gas co-generation plant falls under both HHS/HIPAA (Healthcare sector) and potentially DOE/NERC CIP (Energy sector). Dual-sector entities must identify the primary regulatory authority for each asset class and document the boundary in their risk management plans.

Professionals and organizations seeking qualified cybersecurity service providers operating within this regulatory landscape can reference the Smart Security Directory Purpose and Scope for classification standards and the criteria used to structure the Smart Security Listings. Detailed guidance on navigating those resources is available at How to Use This Smart Security Resource.

References

📜 5 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Smart Security Listings Each entry represents a vetted organizational or individual presence within a defined service category, mapped against... Smart Security Directory: Purpose and Scope This reference covers the scope of listed service categories, the criteria governing inclusion, the regulatory frameworks that... How to Use This Smart Security Resource This page describes how the directory is organized, what types of professionals and services are catalogued, and where the...