CISA Overhauls Critical Infrastructure Strategy, Prioritizing 'Crown Jewels'
CISA Shifts Strategy to Protect 'Crown Jewels' of Critical Infrastructure
Related Entities
Organizations
Other
Full Report
Executive Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is fundamentally evolving its strategy for protecting the nation's critical infrastructure. Moving away from its traditional 16-sector model, the agency will now prioritize the identification and protection of specific, high-impact systems and functions—dubbed the "crown jewels." CISA's Acting Director, Nick Andersen, announced the shift on June 24, 2026, stating that the growing threat of attacks on civilian services means the U.S. can no longer afford to protect everything equally. The new approach will focus resources on the assets whose disruption would cause the most significant damage to national security, economic stability, and public safety. CISA also clarified its position that AI is a capability, not infrastructure itself, and that the focus should be on protecting the underlying systems that power it.
Regulatory Details
This announcement signals a significant change in U.S. national cybersecurity policy. While not a new law, it redefines how CISA will allocate its resources and collaborate with the private sector. The key tenets of the new strategy are:
- Function-Based Prioritization: Instead of treating all entities within a sector (e.g., 'Energy') as equally critical, CISA will focus on specific functions (e.g., 'power generation for a major metropolitan area') and the systems that enable them.
- Adversary-Focused Defense: The strategy is driven by an understanding of which systems adversaries are most likely to target for maximum disruptive effect.
- Shared Responsibility: The new approach aims to ease the burden on individual owner-operators by fostering deeper collaboration and providing more targeted support to protect the most vital assets.
- Redefining 'Criticality': The shift acknowledges that not all infrastructure is created equal. The 'crown jewels' are those systems where failure would have cascading, catastrophic consequences.
Affected Organizations
This strategic shift will primarily affect owner-operators of U.S. critical infrastructure. Organizations that manage systems deemed to be 'crown jewels' can expect to see increased engagement, support, and scrutiny from CISA. This includes entities across all 16 traditional sectors, such as energy, finance, transportation, and healthcare. The new model will likely lead to a tiered system of criticality, with more resources devoted to the most essential entities. Technology providers, especially those whose products are embedded in critical systems, will also be impacted as CISA works to secure the technology supply chain.
Compliance Requirements
While the announcement did not include new mandatory compliance rules, organizations identified as managing 'crown jewel' assets will likely face higher expectations for their security posture. This could translate into:
- More rigorous risk assessments.
- Requirements for more frequent reporting and information sharing with CISA.
- Adherence to specific cybersecurity frameworks and best practices recommended by the agency.
- Participation in government-led cybersecurity exercises and assessments.
CISA plans to roll out new collaboration frameworks in the coming weeks, which will provide more detail on these expectations.
Implementation Timeline
The strategy is being implemented now, with CISA already shifting its internal focus. The new collaboration frameworks are expected to be announced in the "coming weeks" from the June 24 announcement. This will be an ongoing evolution rather than a single event, as CISA works with partners to identify and map out the nation's most critical systems.
Impact Assessment
For businesses, this change has several implications:
- Positive: Organizations managing 'crown jewel' assets will receive more tailored support and intelligence from the government, strengthening their defenses. A more secure national infrastructure benefits all businesses by reducing systemic risk.
- Challenging: Those same organizations will face higher compliance burdens and increased oversight. The cost of meeting these heightened security expectations could be significant.
- For others: Companies not deemed part of the 'crown jewels' may see less direct engagement from CISA, placing a greater onus on them to manage their own cyber risk without direct government partnership.
The clarification on AI—that it is a capability relying on infrastructure like data centers and networks—helps focus protection efforts on tangible assets rather than an abstract concept.
Compliance Guidance
All critical infrastructure operators should take the following steps:
- Conduct a Criticality Assessment: Proactively assess your own systems to identify which ones could be considered 'crown jewels' based on their impact on public safety or economic stability.
- Engage with CISA: Participate in CISA programs and information-sharing bodies (like ISACs) to stay informed about the evolving strategy and expectations.
- Benchmark Security Posture: Evaluate your current security controls against robust frameworks like the NIST Cybersecurity Framework (CSF) to identify gaps.
- Focus on Resilience: Regardless of criticality, focus on building resilience—the ability to withstand and quickly recover from an attack—as CISA has emphasized that breaches are inevitable.
Timeline of Events
MITRE ATT&CK Mitigations
Developing robust contingency and incident response plans is key to building the resilience CISA is emphasizing for critical functions.
Segmenting networks to isolate 'crown jewel' systems from less critical parts of the environment is a core tenet of this prioritized defense strategy.
A strong threat intelligence program helps organizations understand which adversaries are likely to target their specific 'crown jewel' assets and how.
D3FEND Defensive Countermeasures
CISA's 'crown jewel' strategy requires organizations to identify and isolate their most critical assets. The most effective way to do this technically is through rigorous network segmentation, a form of broadcast domain isolation. Critical systems—whether they are industrial control systems in a factory, payment processing servers in a bank, or patient record databases in a hospital—should be placed in their own secure network enclaves. Access to these enclaves must be controlled by strict firewall rules based on a Zero Trust model, where all traffic is denied by default and only explicitly authorized connections are permitted. This ensures that even if a less critical part of the network is compromised, the breach is contained and cannot spread to the 'crown jewels.'
Once 'crown jewel' assets are identified, security teams must establish a baseline of normal access patterns for them. Resource Access Pattern Analysis involves using monitoring tools (like UEBA or specialized application monitoring) to learn who, what, when, and from where these critical systems are typically accessed. With this baseline in place, the system can automatically flag any deviations as high-priority security events. For example, an alert could be generated if a critical database is accessed by an administrator at 3 AM from an unrecognized IP address, or if a user account starts downloading an unusually large volume of data. This behavioral approach is key to detecting sophisticated threats that might bypass other defenses.
To protect the real 'crown jewels,' organizations can create convincing fake ones. A decoy environment, or high-interaction honeypot, can be set up to mimic a critical system. This decoy environment would be instrumented with extensive monitoring and logging. Any interaction with the decoy is, by definition, malicious. This provides an extremely high-fidelity signal of an active intruder in the network, allowing the security team to observe the attacker's TTPs in a safe environment while protecting the actual critical assets. This proactive defense aligns with CISA's adversary-focused strategy by actively hunting for and analyzing threats within the network.
Timeline of Events
CISA Acting Director Nick Andersen announces the strategic shift to focus on 'crown jewel' infrastructure.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.