CISA Essential Critical Infrastructure Guidance — March 19, 2020
CISA’s initial COVID-19 essential worker list defined the continuity roles Zeph Tech mapped into infrastructure resilience playbooks.
Executive briefing: The Cybersecurity and Infrastructure Security Agency (CISA) issued the first version of its Essential Critical Infrastructure Workforce guidance on . The document identified industries and job functions deemed essential to maintaining critical infrastructure during COVID-19 stay-at-home orders. State and local governments relied on the guidance to inform public health orders, and businesses used it to justify continued operations, manage workforce access, and coordinate with emergency management authorities.
Execution priorities for continuity leaders
Compliance checkpoints against CISA designations
Document which roles map to the essential worker categories in Versions 1.0 through 3.0 and update travel letters, facility access lists, and HR policies so critical staff can operate under stay-at-home orders.CISA essential workforce guidance v1.0CISA essential workforce guidance v3.0
Reconcile sector-specific protocols—such as energy, communications, and financial services—with state executive orders so compliance teams can prove alignment when regulators audit pandemic decisions.CISA essential workforce guidance v2.0
Operational moves for critical services
Prioritise physical security, secure remote access, and supply chain redundancy for designated essential teams, drawing on Version 3.0's emphasis on industrial control system support, logistics resilience, and restoration planning.CISA essential workforce guidance v3.0
Align shift rotations, health screenings, and on-site housing contingencies with CISA's advice to sustain telecommunications, IT, and critical manufacturing functions under prolonged disruptions.CISA essential workforce guidance v1.0CISA essential workforce guidance v2.0
Enablement tasks for partners and workforce
Equip suppliers and contractors with documentation proving their essential status so transportation checkpoints, customs agencies, and local authorities recognise authorised personnel and shipments.CISA essential workforce guidance v2.0
Communicate clearly with employees about health, safety, and leave policies while sharing CISA's justifications to maintain trust and reduce attrition across essential service teams.CISA essential workforce guidance v1.0
Scope and sectors
The guidance covers 16 critical infrastructure sectors, including healthcare, public health, food and agriculture, energy, transportation, information technology, communications, financial services, and critical manufacturing. It lists specific job categories such as hospital workers, utility technicians, chemical plant operators, cloud service providers, data centre personnel, delivery drivers, and law enforcement. Subsequent updates expanded the scope to include supply chain workers, essential retail, and more granular roles.
CISA emphasised that the list is advisory and should be adapted to local needs. However, it served as a baseline for many state executive orders, including those in California, New York, and Washington. International partners and industry groups also referenced the guidance when defining essential services.
Operational implications
Companies deemed essential had to develop policies for worker identification, safe facility access, and coordination with law enforcement checkpoints. Many issued essential worker letters referencing CISA guidance to ensure employees could travel during curfews. Organisations implemented health screening, personal protective equipment (PPE) protocols, and social distancing measures while maintaining critical operations.
Supply chain continuity plans required mapping upstream and downstream partners to confirm their essential status. Logistics providers, manufacturers, and IT service firms leveraged the guidance to negotiate with authorities and keep freight corridors open.
Cybersecurity and resilience
Maintaining critical services required heightened cybersecurity vigilance. Remote work expansions and increased reliance on cloud services introduced new attack surfaces. CISA issued supplemental alerts on ransomware threats to healthcare and critical manufacturing, urging organisations to implement multi-factor authentication, patch management, and network segmentation. Data centre operators and managed service providers referenced the guidance to ensure access for security staff and vendors.
Business continuity teams updated incident response plans to address pandemic-related staffing shortages, supply chain disruptions, and remote operations. Organisations cross-trained employees, documented runbooks, and leveraged automation to sustain operations despite reduced on-site staffing.
Regulatory and compliance considerations
Essential status did not exempt businesses from regulatory obligations. Healthcare entities remained subject to HIPAA, FDA, and Joint Commission requirements. Energy companies continued to comply with NERC reliability standards and pipeline safety rules. Financial institutions had to meet FFIEC guidance on pandemic planning and maintain Bank Secrecy Act compliance.
Companies needed to document decisions referencing CISA guidance to support regulatory inquiries or future litigation. Labour and employment law considerations included adherence to OSHA safety standards, wage and hour rules, and accommodation of high-risk employees.
Communication and stakeholder management
Effective communication was vital. Organisations developed crisis communication plans, provided regular updates to employees, customers, suppliers, and regulators, and coordinated with industry associations. Public relations teams prepared messaging to explain continued operations and safety measures.
Stakeholder engagement included collaboration with local emergency management agencies, participation in CISA critical infrastructure calls, and coordination with sector-specific agencies like the Department of Energy and the Department of Homeland Security.
Action plan
- Immediate: Determine whether business units fall under CISA’s essential categories. Issue essential worker letters, coordinate with local authorities, and reinforce health and safety protocols.
- 30–60 days: Update business continuity and pandemic response plans, incorporating lessons learned from initial lockdowns. Validate supply chain dependencies and ensure vendors have essential designations.
- 60–90 days: Conduct after-action reviews, update cybersecurity controls, and document compliance evidence. Plan for phased reopening or sustained remote operations.
- Continuous: Monitor CISA updates, state guidance, and sector-specific advisories. Maintain communication with employees and regulators, adjust policies as public health conditions evolve.
Aligning operations with CISA’s Essential Critical Infrastructure guidance supports continuity of vital services while protecting public health and complying with regulatory expectations.
Labour relations and human resources
HR teams had to manage workforce concerns related to exposure risks, leave policies, and compensation. Employers leveraged provisions under the Families First Coronavirus Response Act (FFCRA) and later CARES Act to provide paid leave and benefits. Communication plans needed to address employee anxiety, provide mental health resources, and explain safety measures. Unionised workplaces coordinated with labour representatives to adjust schedules, hazard pay, and protective equipment availability.
Companies implemented staggered shifts, temperature checks, and contact tracing protocols in compliance with CDC and OSHA guidance. Policies were updated to accommodate high-risk employees, enabling remote work or alternative assignments where possible. Organisations documented compliance with ADA and EEOC guidelines when handling medical information and accommodations.
Financial and supply chain planning
Finance teams evaluated liquidity, supply chain contracts, and insurance coverage. Businesses worked with suppliers to secure essential materials, renegotiated terms to reflect pandemic disruptions, and monitored trade restrictions. Some sectors, such as pharmaceuticals and medical supplies, coordinated with federal agencies to prioritise shipments and scale production.
Inventory management strategies shifted toward resilience, with companies increasing safety stock, diversifying suppliers, and leveraging digital tools for supply chain visibility. Scenario planning incorporated potential future waves of infection and associated regulatory responses.
Evolution of guidance
CISA released multiple updates to the essential workforce guidance, incorporating feedback from industry and state officials. Version 2.0 (28 March 2020) expanded categories for IT and communications, while later versions addressed financial services, chemical manufacturing, and supply chain workers. Businesses needed processes to track these updates and adjust essential worker designations accordingly.
The guidance also informed international collaboration, with countries such as Canada and the UK referencing U.S. definitions when coordinating cross-border infrastructure operations. Companies operating globally leveraged the guidance to align policies across jurisdictions while respecting local regulations.
Documentation and audit readiness
Maintaining detailed records of decisions, communications, and safety measures is critical for post-pandemic audits or litigation. Organisations should archive executive orders, CISA guidance versions, risk assessments, and employee notifications. Internal audit functions can review compliance with essential worker policies, verifying that only necessary personnel accessed facilities and that safety protocols were enforced.
These records support claims for government relief programmes, insurance coverage, and legal defences. They also provide lessons learned for future crisis management planning.
Follow-up: CISA refreshed the Essential Critical Infrastructure Workforce advisory several times through 2021 before retiring the list as pandemic restrictions eased, and the sector criteria now feed into ongoing resilience planning and the 2023 National Cybersecurity Strategy.
Sources
- Version 1.0: Guidance on the Essential Critical Infrastructure Workforce — Cybersecurity and Infrastructure Security Agency; CISA identified the sectors and functions that should continue operations during COVID-19 restrictions to sustain national critical infrastructure.
- Version 2.0: Guidance on the Essential Critical Infrastructure Workforce — Cybersecurity and Infrastructure Security Agency; CISA broadened the essential worker definitions to include more manufacturing, supply chain, and financial services roles.
- Version 3.0: Guidance on the Essential Critical Infrastructure Workforce — Cybersecurity and Infrastructure Security Agency; CISA incorporated industrial control system support, supply chain security, and recovery planning considerations into the essential workforce guidance.