CISA issues Essential Critical Infrastructure Workforce guidance v1.0

On 19 March 2020, CISA issued Version 1.0 of its Essential Critical Infrastructure Workforce guidance to support state and local COVID-19 shelter-in-place decisions and help operators identify personnel who should retain facility and travel access.

Key changes

• Provided an initial, non-binding list of essential workers across 16 critical infrastructure sectors, including health care, IT, communications, transportation, food, energy, and financial services.
• Encouraged jurisdictions to use the list to inform access letters, travel permits, and facility credentialing during stay-at-home orders.
• Set expectations for periodic updates as sectors clarified operational needs during the pandemic.

Why it matters

• Organizations needed clear, nationally recognized criteria to keep critical staff on-site without conflicting with local restrictions.
• Supply chain partners, service providers, and logistics teams relied on the list to justify travel and delivery continuity.
• Gave security and HR teams a federal template for essential worker letters and badge provisioning.

Action items for operators

• Identify roles mapped to CISA’s essential worker categories and maintain documentation supporting on-site access and travel exceptions.
• Coordinate with legal and HR to issue access letters or credentials aligned with local orders and the CISA guidance.
• Review contractor and supplier access needs to ensure critical third parties are covered by equivalent essential worker designations.

Sector-Specific Designations

The guidance identifies essential workers across 16 critical infrastructure sectors with varying specificity. Healthcare and public health includes not only clinical staff but also supply chain workers, medical device technicians, and pharmaceutical manufacturing personnel. If you are affected, map job functions rather than titles to the guidance categories.

Information technology and communications includes data center operators, network engineers, security operations personnel, and managed service providers supporting other critical sectors. This broad scope recognizes interdependencies where IT outages cascade across multiple critical functions.

Financial services essential workers include those maintaining payment systems, ATM networks, and core banking infrastructure. Regulatory examination staff and third-party auditors with access to financial institution systems may also qualify under certain conditions.

Energy sector designations cover generation, transmission, and distribution workers for electricity, oil, and natural gas. Control room operators, field technicians, and cybersecurity personnel monitoring industrial control systems receive priority access consideration.

Documentation Requirements

Essential worker documentation should include clear identification of the employee, their essential function category per CISA guidance, and the organization's role in critical infrastructure. Include effective dates, supervisor contact information, and any required local jurisdiction references.

Maintain records of essential worker designations for potential audit or legal review. Document the decision-making process, criteria applied, and any appeals or exceptions granted. This documentation supports defense against claims of improper designation or discrimination.

Update documentation as roles change or pandemic conditions evolve. Periodic versions of the guidance may expand or narrow categories, requiring credential updates. Establish processes for rapid reissuance when guidance changes affect employee eligibility.

Ongoing Updates and Evolution

CISA committed to periodic guidance updates as pandemic conditions evolved and sectors clarified operational needs. If you are affected, monitor for revised versions and adjust credentials as needed. Subscribe to CISA alerts and participate in sector-specific information sharing organizations for advance notice of changes.

The essential worker framework influenced subsequent pandemic preparedness planning beyond COVID-19. If you are affected, retain documentation processes and credential templates for future emergency activation. Lessons learned from this setup improve readiness for future scenarios requiring workforce continuity prioritization.

More on this topic

Further reading from our research library.

Governance · Credibility 86/100 · March 16, 2020

White House issues "15 Days to Slow the Spread" COVID-19 guidance

Remember '15 Days to Slow the Spread'? This is the March 16, 2020 guidance that kicked off remote work for millions. The White House and CDC told everyone to stay home, limit gatherings, and work remotely. Many companies…

Governance · Credibility 73/100 · March 6, 2020

CISA issues COVID-19 risk management insights for organizations

CISA’s COVID-19 Insights (6 March 2020) urges organizations to stress-test remote work, protect critical functions, and formalize contingency roles; adding control mappings and setup steps strengthens operational…

Governance · Credibility 86/100 · January 31, 2020

HHS declares COVID-19 a U.S. public health emergency

HHS Secretary Azar declared a public health emergency for COVID-19 in the U.S. on January 31, 2020. This unlocks emergency funding and waivers—including some HIPAA flexibility for telehealth—but at this point, U.S. cases…

Governance · Credibility 86/100 · March 26, 2020

DHS extends REAL ID enforcement deadline to October 2021

REAL ID got pushed back again—DHS moved the enforcement deadline from October 2020 to October 2021 because of COVID. States and travelers got another year to get compliant IDs sorted out.

Governance · Credibility 91/100 · March 11, 2020

WHO declares COVID-19 a pandemic

It is official: COVID-19 is a pandemic. WHO made the declaration on March 11, 2020. At this point, cases were exploding globally and governments were scrambling to implement lockdowns.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

March 19, 2020

Coverage pillar

Governance

Source credibility

87/100 — high confidence

Topics

COVID-19 · Continuity planning · Critical infrastructure

Sources cited

3 sources (cisa.gov, iso.org)

Reading time

6 min

Source material

1. Guidance on the Essential Critical Infrastructure Workforce: Ensuring Community and National Resilience in COVID-19 Response (Version 1.0) — Cybersecurity and Infrastructure Security Agency
2. CISA Alerts Archive — CISA
3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization