David Mussington
I. Introduction
Securing and sustaining the resilience of U.S. critical infrastructure depends on more than federal policy; it relies on layered risk management—across national frameworks, sector organizations, local jurisdictions, and individual assets. The Cybersecurity and Infrastructure Security Agency (CISA) and sixteen Sector Risk Management Agencies (SRMAs) historically provided coordination and strategy for cross-sector risk, but ongoing resource constraints have left operational capacity uneven and increasingly insufficient. This growing gap means that managed service providers (MSPs) and cloud service providers (CSPs) must now play a frontline role, not only in general cyber defense but in safeguarding the security and resilience of specific assets, localities, and sectors.
As adversary cyber-attack methods change, US defenses confront a more challenging opponent. It is no longer enough for risk management to be the preserve of federal leadership; practical defense and recovery begin at the asset and local level and must be reinforced by effective sectoral and cross-sectoral partnerships. The security of vital systems depends on a smooth and transparent system of shared information and consistent prioritization of vulnerabilities. This paper argues that resilience depends on the efficacy of public authorities’ oversight of a complex network of public and private sector critical infrastructure owners and stakeholders.
II. Background on the Evolved Framework for Infrastructure Risk
The traditional model placed CISA and SRMAs at the center, responsible for policy, broad situational awareness, and coordination of sector resilience efforts. Sector-specific regulations or frameworks were meant to guide local asset owners—whether power plant operators, water authorities, or hospital systems—in investing in defense and recovery planning.
Yet the technical—and increasingly, operational—capacity to monitor, respond, and remediate threats is rarely housed in federal or even state agencies. Instead, the practical burden has shifted outward. For key assets, MSPs and CSPs manage systems, patch vulnerabilities, and incident response. For specific localities and key sectors, however, NGOs such as ISACs and ISAOs share threat intelligence and orchestrate community-based response. Federal agencies provide higher-level coordination, advisories, and standards, but are less directly involved in day-to-day protection unless a major national event unfolds.the technical—and increasingly, operational—capacity to monitor, respond, and remediate threats is rarely housed in federal or even state agencies. Instead, the practical burden has shifted outward. For key assets, MSPs and CSPs manage systems, patch vulnerabilities, and incident response.
Other federal actors like the Department of Defense (DoD) or law enforcement agencies play specialized, often after-the-fact roles—handling military networks or pursuing attribution. In practice, critical infrastructure security and resilience hinges on the combined capabilities of local operators, their chosen MSPs, CSPs, and sector- or community-level response organizations, all operating under a federal framework.
III. Reductions in Public Sector Capacity and Localized Impact
Persistent resource shortfalls at CISA and SRMAs have made federal agencies less able to support technical risk management at the operational edge. While they set standards and advise during large-scale incidents, they now seldom provide rapid hands-on detection or real-time response at the asset level.
At the state and local level jurisdictions, agencies frequently lack the resources or expertise to operate capable cybersecurity programs. SRMAs may issue policy recommendations or convene sector partners, but effective resilience depends on the presence and performance of the MSPs/CSPs retained by each operator. Local asset owners—if left unsupported—may not discover vulnerabilities or respond to incidents until adversaries have already acted.
In landmark incidents such as SolarWinds and Colonial Pipeline, federal agencies coordinated response and issued guidance, but practical recovery for affected assets and localities relied on rapid action (or lack thereof) by third-party service providers and the owners themselves.
IV. MSPs and CSPs: First Responders Across Assets, Sectors, and Localities
With shrinking public agency resources, MSPs and CSPs now form the operational backbone of asset, locality, and sector cyber defense. For the critical infrastructures at risk, private sector risk managers operate and maintain key systems – even when these systems are behind on patches or essential maintenance. The security of critical infrastructures and key resources is, as a result, continually at risk.
At the sectoral scale, leading CSPs offer customer-wide visibility across regions and industries, enabling pattern recognition and warning at speeds unmatched by government. Locally, MSPs maintain direct access to systems in schools, city governments, and utilities, and can patch, isolate, or restore compromised assets without waiting for a federal surge.
This model has real advantages but introduces new risks:
- Relying too heavily on a handful of large CSPs or MSPs can expose entire sectors or communities if these providers are compromised.
- Asset-level disparities emerge facilities with modern services and vigilant maintenance fare well, while those with budget or unsupported vendors may accumulate unmitigated risk.
- Situational awareness on risk may become fragmented: CISA, SRMAs, and sector NGOs rely on voluntary sharing from asset operators and their MSPs, reducing the government’s real-time situational awareness about national and cross-sector vulnerabilities.
V. Risk Management Implications for Local, Sectoral, and National Resilience
The evolving risk setting creates several significant challenges:
- Fragmented Resilience: Some assets and localities have high-caliber MSP/CSP support, while others—by choice or constraint—do not, leaving a patchwork of defenses both within and across sectors.
- Supply Chain and Cross-Sector Stress: Single vulnerabilities, such as flaws in a widely used software or CSP service, can traverse from one asset to many, rippling across entire sectors or geographies.
- Unclear Accountability: Incident reporting and recovery rely on contractual, not regulatory, relationships at the asset and local level.
NGO Coordination May Prove Inadequate: ISACs and ISAOs must bridge information divides, amplify sector/asset lessons, and ensure east-west communication, as federal guidance and local needs rarely align without translation.
- Federal Oversight Gap: CISA and SRMAs sometimes learn of asset-level breaches from news reports or delayed sector notifications, which undermines collective risk posture.
VI. Rethinking Partnerships and Enabling Local Resilience
To better manage risk at the asset, locality, and sector levels: CISA and SRMA must provide legal and policy frameworks, funding incentives, and technical guidelines that empower local asset owners to contract high-quality MSP/CSP services—and set minimum expectations for those vendors.
- Mandatory protocols for incident response and technical risk identification should be instituted for critical infrastructures. Owner operators should be held accountable for coordinating with authorities whenever worsening risk conditions require it.
- ISACs and ISAOs must be better resourced and perhaps authorized to act as trusted intermediaries—generating, and selectively disseminating threat information to localities, sectors, providers, and public agencies.
- CISA must promulgate Clear “hand off” protocols and coordinated response procedures to ensure that local incident detection is rapidly communicated to sector partners and to federal (CISA or SRMA) authorities when necessary.
VII. Case Study: Log4Shell—Asset-Level Response Meets National Challenge
The December 2021 Log4Shell vulnerability highlighted the realities of defense and risk management in this ecosystem. The Apache Log4j vulnerability threatened widely divergent infrastructures – from electric grids to hospitals and waste water systems. Attackers weaponized the vulnerability rapidly, creating problems for poorly equipped jurisdictions.
Federal agencies moved fast to issue advisories, with CISA and SRMAs broadcasting alerts. Yet containment and patching happened mainly through CSPs and MSPs: providers flagged exposures, deployed virtual patches, and escalated asset-level vulnerabilities up to sector ISACs and ISAOs. Well-resourced utilities and hospitals, already partnered with top-tier MSPs and plugged into their sector’s ISAC, identified and remediated Log4Shell exposures in hours. Rural water authorities and small schools—many operating with minimal support—struggled, leaving critical services exposed for days or weeks.
NGOs played a vital role: ISACs interpreted national advisories, contextualized threat data for frontline staff, and connected isolated assets with advice and surge resources. In some cases, ISACs helped assemble technical “strike teams” from sector peers to backstop local operators who lacked MSP support. Still, uneven risk management at the asset level meant that resilience varied widely—not due to intent, but capacity and accessibility of response resources.
Log4Shell underscored not just the technical speed [and potential scope] of modern threats, but the importance of robust local and sectoral partnerships, timely intelligence flows, and federal coordination that reaches beyond advisories to real operational impact.
VIII. Conclusion
The security and resilience of U.S. critical infrastructure—whether a single water utility, a city government, or a sector-wide network—now depends on the effective integration of risk management at each of the following levels: asset, locality, sector, and nation. As the operational centrality of MSPs, CSPs increases, and the importance of responsive NGOs reinforces, federal policy and governance must keep pace by providing both frameworks and incentives to empower local infrastructure defense, raise sector-wide standards, and foster enhanced information sharing. Progress toward better integrated critical infrastructure security and resilience performance can only be achieved through improved technical quality at the asset level, more material support for asset owners and critical infrastructures, and federal orchestration of national incident response. Federal efforts should seek to shape and support this multi layered ecosystem of service providers and risk managers, reinforcing vulnerability management and risk identification, and ensuring that connections between decision makers enable decision making in both a timely and contextually informing setting.