CISA’s updated guidelines say cybersecurity staff can be considered essential workers

CISA guidelines


“CISA continues to work with our partners in the critical infrastructure community to understand what’s needed to keep essential functions and services up and running,” said Christopher Krebs, CISA Director. “Based on feedback we received, we released version 3.0 of the Essential Critical Infrastructure Workers Guidance, which provides clarity around a range of positions needed to support the essential functions laid out in earlier versions. As new or evolving challenges emerge, we are looking at what kind of access, personal protective equipment, and other resources workers need to continue performing essential duties in a safe and healthy way.”

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]


“This guidance is not a federal mandate, and final decisions remain with state and local officials, who must determine how to balance public health and safety with the need to maintain critical infrastructure in their communities,” Krebs continued. “As the Nation’s response to COVID-19 continues to evolve, CISA will work with our partners across government and industry to update this list as needed. At this point, at least 33 states and numerous local jurisdictions have used the guidance in some way – so we’re encouraged that a common national approach is emerging and will continue to make refinements in response to our partners’ requirements.”

Version 3.0 of the guidance clarifies and expands critical infrastructure workers in several categories and provides additional information as considerations for both government and business. Several updates were made to the Healthcare/Public Health category, clarifying worker categories related to health care, public and environmental health, emergency medical services, and aligning related job functions. In all worker categories, references to “employees” or “contractors” were changed to “workers.” Other additions include:

  • Updated language focused on sustained access and freedom of movement;
  • A reference to the Centers for Disease Control (CDC) guidance on safety for critical infrastructure workers;
  • Language noting the essential role of workers focused on information technology and operational technology;
  • Clearer guidance that sick workers should avoid the job site;
  • A reference to the U.S. Coast Guard (USCG) Marine Safety Information Bulletin on essential maritime workers;
  • Clarified language to include vehicle manufactures; judges and lawyers supporting the judicial system; agricultural jobs; transportation-specific education.

The agency’s classification of cybersecurity staffers as essential is a sensible move, given that critical infrastructure providers will also need workers on site to operate OT and control systems. 

Over the last week, many U.S. cities and states have introduced additional restrictions on travel and public activities in a bid to curb the coronavirus pandemic.

As a result, the question of how to identify essential staffers who must leave their homes instead of working remotely has become more urgent. It’s also become more relevant to companies that employ cybersecurity professionals, as they are now confronting threats that arise both remotely and on site.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has answered by classifying cybersecurity staffers as essential. It did so on March 28, when it updated its guidelines for identifying essential workers.

Ensuring coverage for vital industries

CISA published its first set of recommendations on identifying members of the Essential Critical Infrastructure Workforce in mid-March. Then on March 28, it published a memorandum offering additional guidance to companies involved in sustaining vital infrastructure networks.

In the memorandum, it identified a wide range of positions as essential. “The advisory list identifies workers who conduct a range of operations and services that are typically essential to continued critical infrastructure viability, including staffing operations centers, maintaining and repairing critical infrastructure, operating call centers, working construction, and performing operational functions, among others,” the agency said. “It also includes workers who support crucial supply chains and enable functions for critical infrastructure.”

CISA also noted that these considerations were relevant to multiple sectors of the economy. “The industries they [essential workers] support represent, but are not limited to, medical and healthcare, telecommunications, information technology systems, defense, food and agriculture, transportation and logistics, energy, water and wastewater, law enforcement, and public works,” it said.

Identifying cybersecurity professionals as essential workers

In the March 28 memorandum, CISA stated explicitly that cybersecurity specialists could be classified as essential workers.

Specifically, it said that the list of employees who need to work on site rather than remotely included: “[workers] needed to preempt and respond to cyber incidents involving critical infrastructure, including medical facilities, SLTT [state, local, tribal and territorial] governments and federal facilities, energy and utilities, and banks and financial institutions, securities/other exchanges, other entities that support the functioning of capital markets, public works, critical manufacturing, food and agricultural production, transportation, and other critical infrastructure categories and personnel, in addition to all cyber defense workers (who can’t perform their duties remotely).”

Keeping an eye on OT and control systems

The agency’s classification of cybersecurity staffers as essential workers is a sensible move, especially since the guidelines also cover a wide range of operational technology (OT) and industrial control systems (ICS) within the industries named above.

For instance, the section on water and wastewater management identifies operational workers and technical support providers for Supervisory Control and Data Acquisition (SCADA) systems as essential. Likewise, the section on energy mentions employees involved in “IT and OT technology for essential energy sector operations,” including all who are engaged in general support operations, customer service, energy-sector data center operations, and the functioning of energy management systems, control systems, and SCADA systems.

As IndustrialCyber has reported previously, one of the biggest cybersecurity threats facing critical infrastructure is the human component. Many C-level executives in the infrastructure sector have named deliberate and accidental breaches of IT and OT security by employees as the biggest danger for their companies. If so, companies that provide essential services will definitely need to keep tabs on what their essential workers are doing while on the job.

That is, they will need cybersecurity professionals, and they will need them on site, where they can act quickly to address any problems that might affect the operation of critical infrastructure systems. The stakes are high, given that outages and disruptions in essential sectors such as utilities, food services and the manufacturing of essential goods would be all the more devastating during a public health crisis.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox