Critical Infrastructure: Emerging Trends and Policy Considerations for Congress

Critical infrastructure refers to the machinery, facilities, and information systems that enable critical functions of governance, public health, and the economy. Risks to infrastructure include terrorism, organized crime, cyberattacks, and hostile action by foreign governments, as well as natural hazards, accidents, and aging or obsolescence of infrastructure. Much of this infrastructure is privately owned, but risks to critical assets are often a shared public concern. In recent decades, critical infrastructure stakeholders in government and the private sector have developed the national critical infrastructure security and resilience (CISR) enterprise to manage risk to critical infrastructure systems and assets and to ensure continuity of critical functions at a broader societal level—both during steady-state situations and during contingencies that stress critical infrastructure systems beyond normal operating limits. Successive Administrations and Congresses have acted to expand federal agencies’ roles and responsibilities in the public-private partnerships that define the CISR enterprise. Four areas of enduring concern are defining and identifying critical infrastructure, understanding and assessing critical infrastructure risk, organizing federal resources to address critical infrastructure, and encouraging public-private partnerships. The Critical Infrastructures Protection Act of 2001 (CIPA; P.L. 107-56, §1016) defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition focused on identification and protection of critical systems and assets. Early federally led efforts to comprehensively survey critical systems and assets on the basis of this definition often lacked methodological rigor and provided inconsistent results. Subsequent reforms and legislation directed agencies to make methodological changes and establish the National Asset Database, which is populated primarily via state government nominations. Perceived limitations of asset-centric approaches to protecting critical infrastructure led to a broader shift within the CISR enterprise toward function-centric approaches that prioritized increasing resilience of complex interdependent systems as a whole. Function-centric approaches seek to make any single component or asset of these systems less critical. Such approaches have emphasized assessment of interdependencies between major infrastructure systems, development of consensus resilience standards within relevant industries, creation of contingency plans and training, and incorporation of redundancies into system design. In practice, federal CISR policies, programs, and activities combine elements of both asset-centric and function-centric approaches to risk management. The Cybersecurity and Infrastructure Security Agency (CISA), established by Congress in 2018 as part of the Department of Homeland Security (DHS), is the designated National Coordinator for CISR programs and activities. It oversees public-private partnerships across 16 designated critical infrastructure sectors in coordination with other federal agencies. These partnerships have been structured by coordinating bodies that have facilitated confidential discussions and information sharing on critical infrastructure issues between public and private-sector stakeholders. They also include operational components such as Information Sharing and Analysis Centers that collect and share information on risk and no-cost cybersecurity and physical security services provided by CISA. Observers have offered mixed assessments of the effectiveness of these partnerships. In some cases, government partnership initiatives have drawn little interest, while in other cases, they appear to have contributed to the growth of vibrant communities of interest. In 2025, the Trump Administration eliminated the previous legal framework for confidential public-private coordination on infrastructure issues and submitted budget proposals that would curtail the scale and scope of existing partnerships. However, media reports indicate that a new framework with unspecified reforms is in active consideration as of early 2026. If it chooses to act, Congress may reinforce—and perhaps reform—the previously established system of public-private partnerships. Alternatively, it may legislatively ratify the Administration’s proposal to move toward a more localized risk management framework and transfer core CISR governance functions to the states. Should Congress choose the former, it may consider legislation to reestablish a legal framework for public-private partnerships, to include provisions for confidential discussions and sharing of sensitive infrastructure information. Should it choose the latter, it may consider supporting state and local efforts to take increased responsibility for ensuring resilience of critical infrastructure functions in their jurisdictions. If fully enacted, these policies would likely give rise to a diverse set of more localized CISR risk management enterprises in place of the national-scale system.