CISA reevaluating its critical infrastructure public-private partnership

Earlier this month, Secretary of the Department of Homeland Security (DHS) Kristi Noem announced plans to disband the Critical Infrastructure Partnership Advisory Council (CIPAC). 

First created in 2006, CIPAC is a public/private partnership that coordinates government and private sector efforts around critical infrastructure security by facilitating information sharing on security risks and mitigations. CIPAC consists of Government Coordinating Councils (GCCs), composed of federal, state, and local government entities that assume critical infrastructure duties, and Sector Coordinating Councils (SCCs), self-governing bodies made up of private entities in critical infrastructure sectors. In addition to CIPAC, Noem’s order also calls for the termination of several other Federal Advisory Committees such as the Artificial Intelligence Safety and Security Board, the Cyber Investigations Advisory Board, and the Data Privacy and Integrity Advisory Committee. 

CISA is in talks with critical infrastructure entities to chart a path forward for CIPAC in the wake of this announcement. On a call with CIPAC members on March 14, CISA outlined its plan to “get the same authorities through some other name” to continue cross-sector collaboration without the use of official advisory committees or councils, per DHS’s deregulatory objectives. CISA also has reaffirmed in public statements that the termination of CIPAC will not halt the ongoing work of SCCs, framing the order as an “opportunity to review ways to improve information sharing and collaboration between the [United States government] and critical infrastructure owners and operators for better efficiency and effectiveness.” 

Several lawmakers have expressed concern about the elimination of CIPAC, advocating for the maintenance of critical infrastructure information sharing between government and the private sector. Chairman of the House Homeland Security cyber subcommittee, Andrew Garbino (R-NY), stated that “we don’t want industry not sharing information with each other because when that happens, it just increases the vulnerabilities that are out there.” Further, there has been disagreement in Congress over how to address CIPAC, with some calling for the reauthorization of the Cybersecurity and Information Sharing Act (CISA 2025) to include explicit authority for CIPAC, while others call for a revival of CIPAC in advance of the reauthorization legislation. 

It remains to be seen what CIPAC’s fate ultimately ends up looking like. Regardless, it appears that work is underway to maintain some form of industry-government partnership focused on addressing critical infrastructure security risks, and that the information sharing promoted by CIPAC is unlikely to go away entirely. 

Authored by Nathan Salminen and Ryan Campbell.