CISA Releases Updated Version of its Infrastructure Resilience Planning Framework

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an updated version of its Infrastructure Resilience Planning Framework (IRPF). The IRPF was developed to be used by state, local, tribal and territorial (SLTT) planners to improve the resilience of critical infrastructure services in the face of multiple threats and changes, to ensure services that are vital to the social and economic well-being of the country can continue to be provided; however, the framework can be used by any organization to improve resilience, especially critical infrastructure organizations.

By improving resilience, SLTT partners and critical infrastructure organizations will be able to better deal with uncontrollable circumstances and adapt to changing conditions, from extreme weather events to evolving security threats and social-economic shifts. “Our safety and security depend on the ability of critical infrastructure to prepare for and adapt to changing conditions and to withstand and recover rapidly from disruptions,” said Dr. David Mussington, Executive Assistant Director for Infrastructure Security. “The updates to the IRPF will help planners better understand how to approach future threats and hazards so they can be prepared to meet and recover from an incident. Our collaborative approach with industry and interagency partners enabled CISA to improve the IRPF, which will help the SLTT planning community reduce risks and strengthen resilience.”

The framework can be used to support capital investment plans, funding requests, hazard mitigation plans, and other planning documents, and involves a five-step process:

  1. Lay the foundation
  2. Critical infrastructure identification
  3. Risk assessment
  4. Develop actions
  5. Implement and evaluate

The updated version of the IRPF includes several new resources to help SLTT partners and others deal with rapidly evolving threats and is especially valuable to critical infrastructure organizations given the significant increase in aggressive nation-state cyber activity over the past year. The update to the framework includes a new tool for identifying critical infrastructure – the Datasets for Critical Infrastructure guide; guidance for getting a diverse set of opinions when planning, including an overview of the drought hazard, and revised concepts that incorporate CISA’s Methodology for Assessing Regional Infrastructure Resilience.

The updated guidance will help planners to better understand how to deal with current and future threats and hazards, to ensure that they will be resilient to those threats and hazards and will be able to recover from an incident quickly.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of