US Critical Infrastructure Firewall Compliance: A Practitioner's Map of CISA, NIST 800-53, and EO 14028

The compliance map for US critical infrastructure firewalls is fragmented across at least four overlapping frameworks. After 17 years building enterprise firewall estates for DAX-30 clients and KRITIS-regulated operators in Europe, I’ve spent the last 18 months mapping how those frameworks translate to US obligations. This post is the practitioner-grade map I wish existed when I started.

US compliance teams face a stack: CISA Cross-Sector Cybersecurity Performance Goals (CPGs), NIST SP 800-53 controls, Executive Order 14028 mandates, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), sector-specific frameworks (CMMC for Defense Industrial Base, NERC CIP for bulk electric, HIPAA for healthcare), plus 26+ state-level breach-notification laws. Each framework frames firewall compliance differently. Most security teams maintain separate evidence packs for each audit, duplicating effort.

It does not have to work that way. Six well-chosen artifacts satisfy roughly 80 percent of all firewall-related controls across these frameworks. The remaining 20 percent is sector-specific. This guide walks through the four frameworks, their firewall touchpoints, and the unified evidence pack that survives multiple audits without rewriting.

1. The CISA CPG Lens

CISA released the Cross-Sector Cybersecurity Performance Goals in October 2022 and refreshed them in March 2023. The CPGs are voluntary, prioritized, and designed to be a baseline that small and mid-size operators can adopt without buying enterprise tooling. Several CPGs touch firewall posture directly.

• 2.J Network Segmentation — the most explicit firewall mandate. Operators must segment IT and OT networks and enforce segmentation with controlled traffic flows. Firewall rules and the change history behind them are the primary evidence.
• 2.E Limit Network Segmentation Risk — segmentation must be tested, not just declared. Pen-test reports and rule-review records become artifacts.
• 1.A Asset Inventory — firewalls themselves are critical assets. The inventory must include vendor, OS version, ownership, and last-review date for each appliance and virtual instance.
• 3.A Logging — logs from firewalls and other security devices must be collected, centralized, and retained. The CPGs do not specify retention duration; sector frameworks do (90 days minimum is common).
• 5.A Incident Response Plan — the IR plan must include rollback procedures for firewall changes that cause outages or expose the network. Tabletop exercises that include firewall scenarios become the audit artifact.

The CPGs are the most accessible entry point for an operator that has not previously held to NIST 800-53. They map cleanly to NIST controls when an auditor demands the deeper layer.

2. The NIST SP 800-53 Lens

NIST SP 800-53 Revision 5 is the federal control catalog and the foundation for FedRAMP, FISMA, and most agency authorizations. Four control families govern firewall change and review.

AC-4 is the control most often misunderstood. Auditors expect the operator to demonstrate that information-flow restrictions are enforced and tested, not merely documented. A firewall rule that exists in the configuration but has been bypassed by a more permissive rule above it does not satisfy AC-4. Shadow-rule detection is the difference between a clean assessment and a finding.

CM-3 is the change-management anchor. Firewall change requests must show the requestor, the business justification, the technical reviewer, the approver, the implementation timestamp, and the rollback plan. Email approvals do not satisfy CM-3 at higher impact levels — the approval workflow itself must be the system of record. This is where most ad-hoc firewall change processes fail.

3. Executive Order 14028 and the Federal Push

Executive Order 14028 (Improving the Nation’s Cybersecurity) was signed in May 2021 and has been the engine driving federal cybersecurity policy ever since. Three sections matter for firewall teams.

• Section 3 — modernization. Federal agencies must adopt zero-trust architecture, multi-factor authentication, and encryption in transit and at rest. Firewalls are the policy enforcement points (PEPs) at network boundaries; ZT does not eliminate firewalls, it reframes them as identity-aware traffic mediators.
• Section 7 — detection, investigation, remediation. Federal endpoint visibility requirements extended to the network layer mean firewall telemetry must feed centralized detection. Static logs in a vendor-specific format are no longer sufficient.
• Section 8 — cyber incident logging. Specifies log retention and content. Operators selling to the federal market or operating critical infrastructure inherit these requirements through contract clauses, even when not directly regulated.

EO 14028 does not directly bind private-sector operators. It binds federal agencies, who in turn write contract clauses that propagate the requirements through the supply chain. The DoD’s CMMC 2.0 program is the most prominent example: any contractor handling Controlled Unclassified Information must demonstrate firewall change-control evidence at Level 2.

4. CIRCIA — What Changed in 2024

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires covered entities to report substantial cyber incidents to CISA within 72 hours and ransom payments within 24 hours. The proposed rule was published in March 2024 and the final rule is expected in 2026. The reporting obligation is meaningful only if the operator can produce forensic evidence within hours, not weeks.

Firewall logs are typically the first evidence pulled in an incident response. CIRCIA reporting forces operators to confront log retention, log integrity, and log searchability questions they may have deferred. A firewall that rotates logs every 7 days is not a CIRCIA-compatible firewall. A SIEM that ingests firewall events but cannot reconstruct a multi-day timeline is not CIRCIA-compatible either.

The practical implication: 90 days of online firewall logs, 12 months of cold-storage retention, and an indexed search interface that can produce evidence within an hour. These requirements are not new; CIRCIA simply makes them measurable.

5. The Unified Evidence Pack

Six artifacts satisfy roughly 80 percent of firewall-related controls across CISA CPGs, NIST 800-53, EO 14028 derivatives, CIRCIA, CMMC, and most state laws. Build them once, reference them from multiple audit responses.

1. Firewall asset inventory — every appliance, virtual instance, and cloud security group with vendor, version, owner, IP, location, and last-review date. Satisfies CPG 1.A, NIST CM-8.
2. Change request register — every firewall rule change with requestor, justification, technical reviewer, approver, implementation timestamp, and rollback plan. Linked to ticket IDs. Satisfies NIST CM-3, CMMC CM.L2-3.4.3.
3. Rule-review report — quarterly review of every rule with shadow detection, redundancy detection, and permissivity scoring. Satisfies NIST AC-4, CPG 2.J, PCI-DSS 1.2.7.
4. Network segmentation diagram — current zone topology, trust boundaries, IT/OT separation evidence, dataflow diagram. Satisfies CPG 2.J, NIST SC-7, NERC CIP-005.
5. Logging configuration evidence — per-firewall logging policy, retention duration, integrity controls, SIEM ingestion proof. Satisfies CPG 3.A, NIST AU-2/AU-12, CIRCIA reporting readiness.
6. Incident-response runbook with firewall actions — documented procedures for emergency rule changes, rollback steps, and forensic log collection. Satisfies CPG 5.A, NIST IR-4, CIRCIA evidence preservation.

The artifacts must be machine-readable where possible. An auditor who receives a CSV export from the change register, a JSON dataflow diagram, and a SIEM query template will close the assessment in a week. An auditor who receives a 200-page PDF will still be reviewing it three months later.

6. Cross-Border: EU Operators Selling to US Critical Infra

EU-based operators selling to US critical infrastructure clients face a stacked compliance obligation. The US client typically requires SOC 2 Type II as a contractual baseline. Healthcare clients add HIPAA. Defense clients add CMMC. The operator’s home-jurisdiction obligations — NIS2 Article 21 for EU essential entities, KRITIS for German critical-infrastructure operators, the UK NIS Regulations — do not disappear.

The good news: the unified evidence pack covers most of the overlap. NIS2 Article 21(2)(d) (supply-chain security), KRITIS §8a, and CISA CPG 1.A all expect the same firewall-asset inventory artifact. NIS2 Article 21(2)(g) (cyber hygiene), NIST 800-53 CM-3, and CMMC CM.L2-3.4.3 all expect the same change-control register. An EU operator that builds the pack to NIS2 standard generally satisfies the US contractual requirements with formatting adjustments.

The gap is incident-reporting timelines. NIS2 requires a 24-hour early warning, 72-hour notification, and 1-month final report. CIRCIA requires 72 hours for substantial incidents and 24 hours for ransom payments. An EU operator with US clients should plan for the stricter timeline of each obligation, not the average.

7. A 90-Day Implementation Plan

For a mid-size operator starting from a partial baseline, a 90-day plan to reach a unified evidence pack is realistic.

• Days 1–30: asset inventory, current-state network diagram, gap analysis against CISA CPGs and NIST 800-53. Identify shadow rules and over-permissive policies.
• Days 31–60: implement change-request workflow with mandatory fields, retire shadow and redundant rules, configure centralized logging with verified retention, draft incident-response runbook.
• Days 61–90: tabletop exercise covering firewall change rollback and CIRCIA reporting timeline, internal audit dry-run, evidence-pack export to machine-readable format, gap remediation.

Operators that try to skip the gap analysis or run change-control without enforcing the workflow as the system of record consistently fail subsequent audits. The 90-day plan only works if the discipline persists past the implementation phase. Audit-ready is a posture, not a project.

Bottom Line

US critical infrastructure firewall compliance is fragmented but not unmanageable. The four frameworks — CISA CPGs, NIST 800-53, EO 14028 derivatives, and CIRCIA — share more than 80 percent of their firewall expectations. A unified evidence pack of six artifacts, machine-readable and continuously maintained, replaces the per-audit scramble that defines most operators’ current state.

The pattern is portable. The same evidence pack covers EU NIS2, German KRITIS, UK NIS, and most state-level US obligations with minor formatting adjustments. The hard part is not the regulatory map; it is the operational discipline to keep the artifacts current as the rule base changes daily.