CISA releases the Critical Infrastructure Cybersecurity Framework 2.0 with new operational technology and industrial control system guidance for civilian federal facilities and federally owned infrastructure.
CISA released the Critical Infrastructure Cybersecurity Framework 2.0 on February 19, 2026, with comprehensive new guidance for operational technology and industrial control systems. The update addresses the increasingly frequent targeting of federal civilian facilities' OT/ICS environments by sophisticated threat actors.
The framework update covers all 16 critical infrastructure sectors, with sector-specific annexes for federal facilities, healthcare, transportation, and energy. The federal facilities annex is mandatory for all GSA-managed buildings and civilian agency-owned critical facilities, representing approximately 9,000 facilities nationwide.
New OT/ICS-specific controls include network segmentation requirements between IT and OT networks, anomaly detection for industrial protocol traffic, secure remote access standards for OT environments, and supply chain verification requirements for ICS components.
The framework introduces a Critical Infrastructure Security Maturity Model with four levels, providing a structured progression path for facilities with limited OT security expertise. Facilities at maturity levels 1 and 2 must develop and execute remediation plans within 18 months.
GovAcademy's Critical Infrastructure Cyber Basics course (GA-047) provides the foundational OT security awareness training recommended for facilities operations personnel who interact with ICS environments but may lack cybersecurity backgrounds.
More advanced training needs are addressed by the Cyber Tabletop Exercise Facilitator course (GA-039), which covers scenario design for OT-specific incidents including ransomware attacks on industrial control systems.
CISA's framework update cited the 2024 attack on a federal water treatment facility's SCADA systems as the proximate cause for accelerating the OT/ICS framework update.