CISA issues COVID-19 risk management insights for organizations

On 6 March 2020, CISA released COVID-19 risk management guidance advising organizations to prepare for elevated telework, absenteeism, and supply-chain disruption. The memo emphasizes continuity planning for critical functions, clear delegation of authority, and security controls that keep remote access resilient under load. This early guidance preceded the pandemic declaration by five days and gave organizations a critical head start on preparations.

CISA Risk Management Framework

CISA's guidance established a structured approach to pandemic preparedness spanning people, processes, and technology. The framework recognized that organizations would face simultaneous challenges: workforce availability declining due to illness or caregiving responsibilities, physical facilities becoming inaccessible, and IT systems experiencing unprecedented demand from remote workers.

The guidance focus ond identification of essential functions and the minimum resources required to maintain them. Organizations were advised to classify business processes by criticality, identify key personnel and their backups, and document dependencies on third-party services. This business impact analysis formed the foundation for resource allocation decisions during the crisis.

CISA emphasized that pandemic scenarios differ from traditional disaster recovery because disruptions are prolonged and geographically dispersed. Unlike localized events where alternate sites can absorb workload, pandemic response requires distributed operations with reduced staffing across all locations simultaneously.

Remote Work Security Considerations

The guidance highlighted cybersecurity risks associated with rapid telework expansion. VPN concentrators and identity systems designed for partial remote access would face full-capacity demands. Organizations needed to assess whether infrastructure could support enterprise-wide remote operations without performance degradation that would impact productivity.

Authentication controls required particular attention. CISA recommended multi-factor authentication for all remote access, recognizing that home networks and personal devices introduce risks not present in controlled office environments. Device posture assessment and conditional access policies help ensure remote endpoints meet security baselines before connecting to corporate resources.

Network security monitoring becomes more challenging when traffic patterns shift dramatically. Security teams needed to establish new baselines for remote work patterns and tune detection rules to identify anomalies in the changed environment. Threat actors were expected to exploit the transition period when defenses were still adapting.

Control Mappings

• NIST SP 800-34 Rev.1 & SP 800-53 CP-2, CP-4: Support tested continuity plans and alternate processing sites for essential services.
• CIS Controls v8 12.1 & 15.7: Require remote access management and tested incident response communications that scale during surges.
• ISO/IEC 22301:2019 8.4 & ISO/IEC 27001:2022 A.5.30: Tie business continuity procedures to information security continuity and change management.

Implementation Checklist

• Identify critical business services, owners, dependencies, and minimum staffing; document manual workarounds if key systems fail.
• Load-test VPNs, SSO, and collaboration tools; enable MFA everywhere and enforce device posture checks for remote connections.
• Pre-position spare laptops and mobile hotspots; verify asset imaging and MDM enrollment to keep new devices compliant.
• Define delegation of authority, cross-train backups for essential roles, and maintain call trees for rapid activation.
• Establish supplier communication routines and alternate vendors for critical inputs; track impacts in a centralized issue log.

Workforce and Communication Planning

CISA guidance addressed human factors beyond technology. Organizations needed policies for employees unable to work due to illness, family care responsibilities, or lack of suitable remote work environments. Flexible scheduling, cross-training, and clear communication channels help maintain operations with reduced workforce availability.

Crisis communication plans required updates to address pandemic-specific scenarios. Leadership needed prepared messaging for employees, customers, and partners covering topics such as service continuity, safety measures, and policy changes. Communication channels should account for scenarios where key communicators are unavailable.

Mental health and employee support considerations gained prominence as extended remote work and pandemic stress created new workforce challenges. Organizations were advised to promote available support resources and adjust performance expectations to account for changed circumstances.

Continuity Metrics and Follow-ups

• Record results of capacity tests (concurrent VPN sessions, SSO login success, video quality) and keep evidence of remedial actions with owners and due dates.
• Measure telework policy adoption, including MFA enrollment percentages, patch currency of remote endpoints, and phishing training completion during remote periods.
• Validate that alternate suppliers and logistics routes are contractually secured; document any single points of failure and mitigation plans.
• Re-run tabletop exercises after major policy changes or outbreaks to ensure call trees, paging tools, and command structures still function.

Recovery and Reconstitution

• Define triggers for returning to normal operations, including minimum staffing, service availability, and supplier stability; capture them in leadership playbooks.
• Plan phased restoration of onsite operations with validation of building systems (HVAC, physical security) and IT services after prolonged remote use.
• Archive telework exceptions and temporary firewall rules, scheduling their removal with change management once the surge subsides.

Supplier Resilience Checks

• Review business continuity statements from critical SaaS and telecom providers; verify RTO/RPO commitments and document alternates if outages exceed contract terms.
• Track upstream component shortages (laptops, networking gear) and pre-approve substitutions that meet security baselines.
• Establish regular check-ins with critical suppliers to monitor their pandemic response and identify potential disruptions early.

Related articles

Curated signals from the same pillar or overlapping topics.

Governance · Credibility 73/100 · March 11, 2020

Governance — COVID-19

March 11, 2020—the day everything changed. WHO officially declared COVID-19 a global pandemic, triggering business continuity plans, travel shutdowns, and the largest remote work experiment in history. If your…

Governance · Credibility 86/100 · March 16, 2020

White House issues "15 Days to Slow the Spread" COVID-19 guidance

Remember '15 Days to Slow the Spread'? This is the March 16, 2020 guidance that kicked off remote work for millions. The White House and CDC told everyone to stay home, limit gatherings, and work remotely. Many companies…

Governance · Credibility 87/100 · March 19, 2020

CISA issues Essential Critical Infrastructure Workforce guidance v1.0

CISA released Version 1.0 of its Essential Critical Infrastructure Workforce list on 19 March 2020 to help jurisdictions and companies identify personnel who should maintain on-site access during COVID-19 restrictions.

Governance · Credibility 86/100 · January 31, 2020

HHS declares COVID-19 a U.S. public health emergency

HHS Secretary Azar declared a public health emergency for COVID-19 in the U.S. on January 31, 2020. This unlocks emergency funding and waivers—including some HIPAA flexibility for telehealth—but at this point, U.S. cases…

Governance · Credibility 91/100 · March 11, 2020

WHO declares COVID-19 a pandemic

It is official: COVID-19 is a pandemic. WHO made the declaration on March 11, 2020. At this point, cases were exploding globally and governments were scrambling to implement lockdowns.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

March 6, 2020

Coverage pillar

Governance

Source credibility

73/100 — medium confidence

Topics

COVID-19 · Continuity Planning · Remote Work

Sources cited

3 sources (cisa.gov, fema.gov)

Reading time

5 min

References

1. CISA Insights: Risk Management for COVID-19 — Cybersecurity and Infrastructure Security Agency
2. Enterprise VPN Security — Cybersecurity and Infrastructure Security Agency
3. National Continuity Programs resources — Federal Emergency Management Agency