CISA's Voluntary Framework Is a National-Security Failure

Voluntary is not a security posture. It is an accounting category, and the United States has spent two decades pretending otherwise.

The Cybersecurity and Infrastructure Security Agency was built on a wager: that the operators of sixteen critical sectors, faced with credible threat intelligence and a coordinating federal body, would invest at the level the threat demanded. The wager has lost. Not occasionally, not at the margins, but systematically, in every sector where the cost of hardening exceeds the discounted probability of the catastrophic event. This is not a failure of the people inside CISA, who do serious work with constrained authorities. It is a failure of the model itself. The voluntary framework assumes rational operators face rare-event risk and choose to mitigate it. Rational operators, under quarterly reporting pressure and unforgiving cost-of-capital math, do the opposite.

What follows is not a polemic against the agency. It is a structural reading of why the American approach to critical infrastructure protection produces the outcomes it produces, why the gap between the rhetoric of resilience and the condition of the assets grows wider every year, and what a serious replacement would look like. The argument is operator to operator, written by a manufacturer who builds the physical and digital perimeter that the framework, in theory, exists to coordinate.

The Voluntary Premise And Why It Fails

CISA's authority over private critical infrastructure is, with narrow exceptions, advisory. The agency publishes guidance, conducts assessments on request, shares threat indicators, coordinates exercises, and issues binding operational directives to federal civilian agencies. For the eighty-five percent of critical infrastructure that sits in private hands, the relationship is invitational. An operator may choose to engage. An operator may choose to ignore. The asymmetry is structural and intentional, a product of the political settlement that produced the Department of Homeland Security in 2002 and was carried forward into the CISA Act of 2018.

The premise behind this settlement was that operators understand their own assets better than a federal agency could, and that market incentives, insurance pricing, and reputational exposure would drive investment toward an efficient level of protection. Each of these assumptions has degraded. Operators understand their assets in operational terms, not in adversarial terms. The threat actor who studies a substation or a water treatment plant studies it as an attacker, with time, intent, and tools that the asset owner does not model. Insurance pricing, after the cyber market repricing of 2021 to 2023 and the silent cyber exclusions that followed, no longer translates threat into premium in a way that drives capital expenditure. Reputational exposure is a function of media attention, which is itself a function of whether the incident is photogenic. A substation attack at three in the morning in rural Tennessee does not move share prices. A ransomware event that disables billing for two weeks does.

The result is a population of operators who, when faced with the choice between hardening against a low-probability high-consequence event and deploying the same capital against a known operational pain, choose the operational pain every time. This is not negligence. It is finance. CISA's voluntary model assumes that better information, better coordination, and better guidance will overcome the gravitational pull of net present value calculations against tail risk. It does not. It cannot. The math does not yield to advisories.

The Math Operators Actually Run

Consider a regional electric utility evaluating physical hardening of a transmission substation. The asset is replaceable for somewhere between two and five million dollars, depending on configuration. The probability of a targeted physical attack against that specific substation in any given year, based on the Metcalf precedent and subsequent NICB and federal incident data, is well below one percent. The expected annual loss, in pure actuarial terms, is below fifty thousand dollars. The cost of meaningful hardening, including ballistic walls, intrusion detection integrated with utility SCADA, and a credible response posture, runs from several hundred thousand to over a million dollars per site. A utility with four hundred substations cannot multiply that number against its rate base without a regulatory proceeding, and regulatory proceedings reward operators who minimize customer bills, not operators who pre-fund tail risk.

The math is similar in water, in chemicals, in pipelines, in the dozens of sectors where CISA holds coordinating responsibility. The expected loss to the individual operator is small. The expected loss to the system, when an attacker chains together failures across operators, is enormous. This is the canonical externality problem, and it is not solved by guidance. It is solved by either internalizing the externality through regulation that prices the systemic loss into the operator's decision, or by socializing the cost of hardening through direct federal investment. The voluntary framework does neither. It produces documents.

The book BOSWAU + KNAUER. From Building to Security Technology makes a related point in a different context: security is either an investment with a measurable return across direct loss, consequential loss, and insurance pricing, or it is an expense item that gets cut in every cycle where margins compress. The American framework, by refusing to convert the systemic externality into an operator-level price signal, ensures that critical infrastructure protection lives in the expense column. Once it lives in the expense column, the next quarter's budget cycle removes it.

What The Framework Does Not Touch

A close reading of CISA's published guidance, including the Cross-Sector Cybersecurity Performance Goals, the sector-specific plans, and the physical security guidance updated through 2025, reveals what the framework systematically avoids. It does not set mandatory minimum standards for physical perimeter integrity at substations, pumping stations, telecommunications hubs, or rail control points. It does not require third-party verification of stated controls. It does not impose timelines on remediation of identified gaps. It does not condition federal contracts, grants, or regulatory approvals on demonstrated compliance with its own guidance. Each of these omissions is deliberate, and each reflects the boundary of what the political settlement permits.

NIST has done serious work, in particular the Cybersecurity Framework 2.0 and the control catalog in NIST 800-53, that could form the backbone of a binding regime. IEC 62443 provides a defensible technical standard for industrial control systems. ISO 27001 offers a management system framework that auditors can actually audit. None of these are required for private critical infrastructure operators in the United States. They are referenced, recommended, suggested. The same operator who must comply with a granular OSHA standard for a guardrail height faces no federal floor on the resilience of the control room that runs the chemical process behind the guardrail. This is not a contradiction the framework can resolve. It is the framework.

What the framework also does not touch is the physical security of the digital infrastructure itself. Data centers, fiber landing stations, internet exchange points, and the increasingly consolidated cloud regions that now host critical workloads for federal agencies, state governments, and Fortune 500 operators sit largely outside the sector definitions. They are infrastructure for everything but classified as critical infrastructure for nothing. ASIS International has published thoughtful work on data center physical security, but the floor remains whatever the operator chooses to fund. Given that the operator's customer is often a hyperscaler whose contract priorities are uptime and cost, the floor settles where the customer accepts it, which is rarely where a serious adversary model would place it.

How NIS2 Inverts The Model

The European NIS2 Directive, transposed across member states through 2024 and into effect operationally in 2025, takes the opposite premise as its starting point. It assumes that operators will not invest at the level the threat demands unless required to do so, that requirements without verification are theater, and that verification without consequences is bureaucracy. NIS2 names essential and important entities, sets baseline obligations on risk management, incident reporting, supply chain security, and governance, requires registration with national competent authorities, and imposes administrative fines that scale with global turnover. Management bodies bear personal responsibility. The German BSI, the French ANSSI, and their counterparts in other member states have moved from advisory to supervisory posture, with audit rights and the authority to compel.

The directive is not perfect. Its scope is contested, its implementation varies across member states, and its first enforcement cycles will reveal weaknesses that critics will exploit. But its structural premise is correct. It treats critical infrastructure protection as a public good that requires public authority, not as a private investment decision that benefits from public information. It accepts that the cost will fall on operators, that the cost will be passed on to customers, and that the alternative, in which the cost falls on society after a catastrophic event, is worse. The GDV, the German insurance association, has begun aligning premium structures to NIS2 compliance status, which closes the loop between regulatory requirement and capital market signal that the American voluntary framework has never managed to close.

A serious American observer can disagree with the specifics of NIS2 and still recognize that its premise is the premise that produces results. Voluntary frameworks produce variance. Variance, in critical infrastructure, is the same word as vulnerability.

The Reliability Gap

The cumulative effect of two decades of voluntary guidance is measurable, and it does not flatter the model. Sector-specific assessments, where they have been conducted with operator cooperation, consistently identify the same gaps: legacy industrial control systems exposed to public networks, physical perimeters that have not been hardened since the original construction, response postures dependent on local law enforcement that lacks specialized capacity, and identity management practices that would fail a first-year audit against ISO 27001. These are not exotic findings. They are the same findings, in the same sectors, year after year, in agency reports and inspector general reviews and academic studies that nobody acts on because nobody is required to act on them.

The reliability gap is not the gap between guidance and practice. The gap between guidance and practice is, by the framework's own logic, the operator's prerogative. The reliability gap is the gap between the protection the public assumes critical infrastructure has and the protection it actually has. That gap is closing in the wrong direction. Threat actor capability is increasing, driven by state programs in adversary nations, by the commodification of offensive tools in criminal markets, and by the increasing return on critical infrastructure attacks as a coercive instrument. Operator capability, in aggregate, is not increasing at the same rate. Some operators are excellent. Some operators meet a basic standard. Many operators meet whatever standard their last incident embarrassed them into adopting. The framework treats all three categories as equivalent participants in a voluntary regime.

A manufacturer who builds physical security technology for industrial sites sees this distribution directly. The operators who buy serious systems are the operators who have already had an incident, or whose insurer has finally extracted a condition, or whose board has been persuaded by a peer's experience. The operators who buy nothing are the operators who have not yet been attacked. The framework does not change this distribution. It documents it.

What Would Actually Work

A replacement framework would do three things the current model does not. It would set binding minimum standards for the sectors where systemic risk is highest, beginning with electric transmission, water treatment, telecommunications backbone, and the data center infrastructure on which the federal civilian executive branch now depends. It would require third-party verification of compliance, on a multi-year cycle, with the cost borne by the operator and the audit conducted by accredited firms operating under federal supervision. It would link compliance status to capital market access, federal procurement eligibility, and insurance pricing, through mechanisms that the SEC, the federal procurement system, and state insurance regulators already possess but do not use in coordinated fashion.

The standards themselves do not need to be invented. The combination of NIST CSF 2.0 for governance, NIST 800-53 for controls, IEC 62443 for industrial control systems, and a physical security baseline drawn from ASIS International guidelines would produce a defensible floor. The work is not technical. The work is political. It requires accepting that critical infrastructure protection is not a partnership between government and industry, but an obligation of operators that government enforces. The partnership language, which has dominated American policy since the Clinton administration, has produced exactly the outcomes one would expect from a partnership in which one partner has no leverage.

The objection that mandatory standards will impose costs on operators and ultimately on customers is correct and beside the point. The costs are being imposed already, in the form of uncompensated systemic risk that society absorbs after each incident. The question is not whether to pay. The question is whether to pay in advance through hardening, or after the fact through reconstruction. Every serious actuary in the property and casualty markets has run this calculation. The answer is not ambiguous.

What Holds

The voluntary framework is a national-security failure not because the people inside CISA fail at their work, but because the model they operate under cannot produce the outcomes the country requires. It assumes operators will price tail risk into capital allocation decisions. They will not. It assumes information sharing will substitute for authority. It does not. It assumes the partnership between government and industry will converge on adequate protection. It has not.

A serious replacement would set binding standards, require verification, and link compliance to capital, procurement, and insurance. The technical components exist. The political will does not, yet. Until it does, the gap between the protection the public assumes and the protection that actually exists will continue to widen, and the next incident will be larger than the last.

Operators reading this who recognize their own situation in the description, who know that their physical perimeter would not survive a serious adversary model, and who would prefer to act before the regulatory environment changes around them, have an option that does not require waiting for federal mandates. A confidential sixty-minute conversation, the first of the three paths described in BOSWAU + KNAUER. From Building to Security Technology, costs nothing and produces an honest assessment of where the gaps are. The audit and pilot paths follow, for operators ready to move from assessment to action. The framework will not protect the asset. The operator will, or no one will.

Frequently asked questions

What does CISA require for physical security in critical infrastructure?

CISA does not require physical security measures for private critical infrastructure operators in the United States. It publishes guidance, including the Cross-Sector Cybersecurity Performance Goals and sector-specific recommendations, and it conducts assessments on request. The relationship is advisory. Operators choose whether to engage, whether to implement recommendations, and on what timeline. Binding directives apply only to federal civilian executive branch agencies. For the roughly eighty-five percent of critical infrastructure in private hands, including most electric utilities, water systems, and telecommunications providers, no federal physical security floor exists.

Is the CISA framework legally binding?

For private critical infrastructure operators, no. CISA holds coordinating authority across sixteen designated sectors but lacks the regulatory power to compel compliance with its guidance. Sector-specific regulators, including FERC for bulk electric power and the TSA for pipelines and rail, have narrower mandatory authorities, but the gaps between them are substantial. Binding operational directives apply only to federal civilian agencies under the CISA Act of 2018. The voluntary character of the framework is the central design choice of American critical infrastructure policy, and it is the source of the structural failures the framework produces.

How does NIS2 compare to the CISA model?

The European NIS2 Directive inverts the American premise. It imposes mandatory baseline obligations on essential and important entities, requires registration with national competent authorities, mandates incident reporting on tight timelines, addresses supply chain security explicitly, and holds management bodies personally accountable. Administrative fines scale with global turnover. National authorities, including the German BSI and the French ANSSI, hold supervisory and audit powers. The directive accepts that critical infrastructure protection is a public obligation enforced by public authority, rather than a private decision informed by public guidance. Implementation varies, but the structural premise produces different outcomes.

What incentives would actually drive critical-infrastructure investment?

Three mechanisms, used in coordination, would move operator behavior. First, binding minimum standards in the sectors with highest systemic risk, drawn from NIST CSF 2.0, NIST 800-53, IEC 62443, and an ASIS-informed physical security baseline. Second, third-party verification of compliance on a multi-year cycle, conducted by accredited auditors under federal supervision. Third, linkage of compliance status to capital market disclosures, federal procurement eligibility, and insurance pricing, using authorities that SEC, GSA, and state insurance regulators already possess. The technical content exists. The integration into a binding regime is the missing element.