CISA Essential Critical Infrastructure Guidance — March 19, 2020

Executive briefing: The Cybersecurity and Infrastructure Security Agency (CISA) issued the first version of its Essential Critical Infrastructure Workforce guidance on 19 March 2020. The advisory defined industries and job functions that needed to remain operational during COVID-19 stay-at-home orders. State and local governments adopted the list to shape public health orders, while businesses used it to justify continued operations, manage workforce access, and coordinate with emergency management authorities.

Execution priorities for continuity leaders

Compliance checkpoints against CISA designations

Document which roles map to the essential worker categories in Versions 1.0 through 3.0 and update travel letters, facility access rosters, and HR policies so critical staff can operate under stay-at-home orders.CISA essential workforce guidance v1.0CISA essential workforce guidance v3.0

Reconcile sector-specific protocols—such as energy, communications, and financial services—with state executive orders so compliance teams can prove alignment when regulators audit pandemic decisions.CISA essential workforce guidance v2.0

Operational moves for critical services

Prioritise physical security, secure remote access, and supply chain redundancy for designated essential teams, drawing on Version 3.0's emphasis on industrial control system support, logistics resilience, and restoration planning.CISA essential workforce guidance v3.0

Align shift rotations, health screenings, and on-site housing contingencies with CISA's advice to sustain telecommunications, IT, and critical manufacturing functions under prolonged disruptions.CISA essential workforce guidance v1.0CISA essential workforce guidance v2.0

Enablement tasks for partners and workforce

Equip suppliers and contractors with documentation proving their essential status so transportation checkpoints, customs agencies, and local authorities recognise authorised personnel and shipments.CISA essential workforce guidance v2.0

Communicate clearly with employees about health, safety, and leave policies while sharing CISA's justifications to maintain trust and reduce attrition across essential service teams.CISA essential workforce guidance v1.0

Scope and sectors

Sector definitions

The guidance covers 16 critical infrastructure sectors defined by the Department of Homeland Security, including healthcare, public health, food and agriculture, energy, transportation systems, information technology, communications, financial services, critical manufacturing, chemical, nuclear, water and wastewater, government facilities, commercial facilities, dams, emergency services, and defence industrial base. Within these sectors CISA listed specific job categories such as hospital clinicians, biomedical engineers, utility technicians, chemical plant operators, cloud service providers, data centre personnel, freight rail crews, pipeline controllers, and law enforcement. Subsequent updates expanded the scope to include supply chain workers, essential retail, postal and shipping staff, and more granular roles supporting manufacturing maintenance and field services.

CISA emphasised that the list is advisory and should be adapted to local needs, but it served as a baseline for state executive orders in California, New York, Washington, and numerous other jurisdictions. International partners and industry groups also referenced the guidance when defining essential services and border-crossing exemptions.

Operational implications

Operational guidance

Companies deemed essential had to develop policies for worker identification, safe facility access, and coordination with law enforcement checkpoints. Many issued essential worker letters referencing CISA guidance to ensure employees could travel during curfews. Organisations implemented health screening, personal protective equipment (PPE) protocols, and social distancing measures while maintaining critical operations. For field teams, employers staged mobile hygiene kits, enhanced cleaning at dispatch yards, and developed contactless procedures for deliveries and maintenance work orders.

Supply chain continuity plans required mapping upstream and downstream partners to confirm their essential status. Logistics providers, manufacturers, and IT service firms leveraged the guidance to negotiate with authorities and keep freight corridors open. Cold chain operators in pharmaceuticals, chemical distributors, and telecommunications equipment suppliers were prioritised because delays would have directly affected hospital operations, utilities uptime, and emergency services.

Operational resilience

Organisations cross-trained employees, documented runbooks, and leveraged automation to sustain operations despite reduced on-site staffing. Remote work expansions and increased reliance on cloud services introduced new attack surfaces, requiring heightened cybersecurity vigilance. CISA issued supplemental alerts on ransomware threats to healthcare and critical manufacturing, urging adoption of multi-factor authentication, patch management, and network segmentation. Data centre operators and managed service providers referenced the guidance to ensure access for security staff and vendors while maintaining least privilege and visitor logging.

Regulatory and compliance considerations

Compliance implications

Essential status did not exempt businesses from regulatory obligations. Healthcare entities remained subject to HIPAA, FDA quality system rules, and Joint Commission requirements. Energy companies continued to comply with NERC reliability standards, PHMSA pipeline safety rules, and EPA emergency reporting. Financial institutions had to meet FFIEC guidance on pandemic planning, maintain Bank Secrecy Act and anti-money laundering controls, and keep call centres staffed for consumer protection obligations.

Companies needed to document decisions referencing CISA guidance to support regulatory inquiries or future litigation. Labour and employment law considerations included adherence to OSHA safety standards, wage and hour rules, and accommodation of high-risk employees. Documentation should show how worker designations were determined, how health and safety controls were implemented, and how exceptions were handled for high-risk or quarantined personnel.

Communication and stakeholder management

Effective communication was vital. Organisations developed crisis communication plans, provided regular updates to employees, customers, suppliers, and regulators, and coordinated with industry associations. Public relations teams prepared messaging to explain continued operations and safety measures.

Stakeholder engagement included collaboration with local emergency management agencies, participation in CISA critical infrastructure calls, and coordination with sector-specific agencies like the Department of Energy and the Department of Homeland Security. Many organisations leveraged sector coordinating councils to escalate bottlenecks, request exemptions, and align security protocols across interconnected operators.

Action plan

1. Immediate: Determine whether business units fall under CISA’s essential categories. Issue essential worker letters, coordinate with local authorities, and reinforce health and safety protocols.
2. 30–60 days: Update business continuity and pandemic response plans, incorporating lessons learned from initial lockdowns. Validate supply chain dependencies and ensure vendors have essential designations.
3. 60–90 days: Conduct after-action reviews, update cybersecurity controls, and document compliance evidence. Plan for phased reopening or sustained remote operations.
4. Continuous: Monitor CISA updates, state guidance, and sector-specific advisories. Maintain communication with employees and regulators, adjusting policies as public health conditions evolve.

Aligning operations with CISA’s Essential Critical Infrastructure guidance supports continuity of vital services while protecting public health and complying with regulatory expectations.

Labour relations and human resources

HR teams had to manage workforce concerns related to exposure risks, leave policies, and compensation. Employers leveraged provisions under the Families First Coronavirus Response Act (FFCRA) and later CARES Act to provide paid leave and benefits. Communication plans needed to address employee anxiety, provide mental health resources, and explain safety measures. Unionised workplaces coordinated with labour representatives to adjust schedules, hazard pay, and protective equipment availability.

Companies implemented staggered shifts, temperature checks, and contact tracing protocols in compliance with CDC and OSHA guidance. Policies were updated to accommodate high-risk employees, enabling remote work or alternative assignments where possible. Organisations documented compliance with ADA and EEOC guidelines when handling medical information and accommodations.

Financial and supply chain planning

Finance teams evaluated liquidity, supply chain contracts, and insurance coverage. Businesses worked with suppliers to secure essential materials, renegotiated terms to reflect pandemic disruptions, and monitored trade restrictions. Some sectors, such as pharmaceuticals and medical supplies, coordinated with federal agencies to prioritise shipments and scale production.

Inventory management strategies shifted toward resilience, with companies increasing safety stock, diversifying suppliers, and leveraging digital tools for supply chain visibility. Scenario planning incorporated potential future waves of infection and associated regulatory responses. Critical infrastructure owners also engaged mutual aid agreements within sectors such as electric power and water to share crews, protective equipment, and spares.

Evolution of guidance

CISA released multiple updates to the essential workforce guidance, incorporating feedback from industry and state officials. Version 2.0 (28 March 2020) expanded categories for IT and communications, while later versions addressed financial services, chemical manufacturing, and supply chain workers. Businesses needed processes to track these updates and adjust essential worker designations accordingly, especially when local governments issued variant lists.

The guidance also informed international collaboration, with countries such as Canada and the UK referencing U.S. definitions when coordinating cross-border infrastructure operations. Companies operating globally leveraged the guidance to align policies across jurisdictions while respecting local regulations.

Documentation and audit readiness

Maintaining detailed records of decisions, communications, and safety measures is critical for post-pandemic audits or litigation. Organisations should archive executive orders, CISA guidance versions, risk assessments, and employee notifications. Internal audit functions can review compliance with essential worker policies, verifying that only necessary personnel accessed facilities and that safety protocols were enforced.

These records support claims for government relief programmes, insurance coverage, and legal defences. They also provide lessons learned for future crisis management planning, including how to integrate essential worker designations into broader resilience programmes.

Follow-up: CISA refreshed the Essential Critical Infrastructure Workforce advisory several times through 2021 before retiring the list as pandemic restrictions eased, and the sector criteria now feed into ongoing resilience planning and the 2023 National Cybersecurity Strategy.

Sources

• Version 1.0: Guidance on the Essential Critical Infrastructure Workforce — Cybersecurity and Infrastructure Security Agency; initial advisory defining essential sectors and roles for continuity during COVID-19 restrictions.
• Version 2.0: Guidance on the Essential Critical Infrastructure Workforce — Cybersecurity and Infrastructure Security Agency; expanded essential worker definitions for communications, logistics, and manufacturing supply chains.
• Version 3.0: Guidance on the Essential Critical Infrastructure Workforce — Cybersecurity and Infrastructure Security Agency; added industrial control system support, supply chain security, and recovery planning expectations.
• Advisory Memorandum on Identification of Essential Critical Infrastructure Workers During COVID-19 Response — U.S. Department of Homeland Security; nationwide memo directing jurisdictions to use the CISA list for stay-at-home orders.
• Interim Guidance for Businesses and Employers Responding to Coronavirus Disease 2019 (COVID-19) — Centers for Disease Control and Prevention; health protection measures to accompany essential worker designations.