I. Overview of the Updated CISA Guidance

On April 17, the Cybersecurity and Infrastructure Security Agency (CISA), an agency within the Department of Homeland Security (DHS), issued the third version of its nonbinding COVID-19-specific Essential Critical Infrastructure Workers guidance (CISA 3.0).1 As CISA Director Christopher C. Krebs emphasized in his accompanying cover memorandum, the list is advisory in nature and not a federal directive, and final decisions remain with state and local officials. 

CISA 3.0 incorporates feedback received on workplace "lessons learned" from weeks of business and government operations under state and local shutdown orders, and represents an effort to begin safely reopening the economy. For example, the updated guidance advises essential businesses on appropriate personal protective equipment (PPE), suggests revisions to sick leave policies to ensure that employees who are ill do not come to work, recommends development of policies to reintegrate employees who have recovered from or have been exposed to COVID-19, and provides practical guidance on logistics for operations. In addition, CISA 3.0 contains many industry-specific clarifications and additions regarding a "range of positions" necessary to support essential functions—changes that collectively represent a substantial expansion in the number of workers that the federal government deems should be permitted to work on-site. Notably, even with this new attention to safe reopening and an expanded number of essential workers, the new guidance continues to emphasize remote work and delays in all non-mandatory on-site operations where possible.

Despite its advisory nature, CISA's guidance has significantly influenced state and local work-from-home and shelter-in-place orders. More than 30 states have expressly referred to or otherwise incorporated a prior version of the guidance into their orders to define essential categories of businesses, workers and/or services. Thus, we expect many states to update their existing orders and guidance to reflect CISA 3.0. 

This client alert contains a high-level summary of the changes CISA made to its previous guidance and updates our prior alert issued on March 30. We have included as an exhibit to this alert a chart comparing CISA 3.0 with CISA 2.0, released on March 28.

II. Revised Considerations for Government and Businesses

In the three weeks since CISA 2.0 was issued, the federal, state and local government response has continued to evolve to combat the spread of COVID-19. In response to these trends, and feedback received from state and local government and business, CISA 3.0 includes a number of new, overarching recommendations that reflect the developing situation.

Apply the guidance to contractors as well as employees. The updated guidance states at the outset that the term "workers" encompasses both employees and contractors. The prior guidance generally used the term "employees," which created some uncertainty regarding its applicability to contractors for essential businesses. 

Maintain compliance with OSHA requirements. The guidance emphasizes that employers must comply with applicable OSHA requirements to protect critical infrastructure workers who remain on—or return to—the job during the pandemic. 

Use masks, but appropriately for your business. When CISA 2.0 was issued, federal and state authorities generally advised against wearing masks in public. That has now changed. The Centers for Disease Control and Prevention (CDC) on April 3 recommended that people wear cloth face coverings in public. CISA 3.0 acknowledges this change while continuing to recognize the need for flexibility, stating that "critical infrastructure employers must consider how best to implement this public health recommendation." Many states have adopted a similar advisory approach, while others now require employers to provide masks to on-site essential workers, such as those operating in confined spaces or interacting with the public. And some states have now made masks mandatory at grocery stores and similar essential retail locations, for employees and customers alike.

Revisit sick leave policies. The guidance encourages companies to "consider the impact of workplace sick leave policies that may contribute to an employee decision to delay reporting medical symptoms." In other words, companies should ensure that their sick leave policies do not encourage or incentivize—even if unintentionally—sick workers to remain on the job rather than isolating at home.

Properly reintegrate formerly sick or exposed workers. As remote working restrictions ease, companies will need to reintegrate workers who have been exposed to the virus but remain asymptomatic, as well as those who have recovered from the disease itself. Referring to CDC guidance on safety practices for critical infrastructure workers, CISA 3.0 says employers are obligated "to limit to the extent possible the reintegration" of asymptomatic workers who have been exposed to COVID-19 "in ways that best protect the health of the worker, their co-workers, and the general public." For example, employers could reassign tasks to "other equally skilled and available in-person workers" who have not been exposed. 

Treat information technology (IT) and operational technology (OT) workers as essential. Noting that the "vast majority of our economy relies on technology," the new guidance expressly designates as essential all IT and OT workers for critical infrastructure operations, including "workers focusing on management systems, control systems, and Supervisory Control and Data Acquisition (SCADA) systems, and data centers; cybersecurity engineering; and cybersecurity risk management."

Ensure site access for essential workers. The guidance points out that essential critical infrastructure workers need "continued and unimpeded" access to sites, facilities, and equipment within quarantine zones, containment areas and similar restricted areas. CISA therefore recommends that such workers be exempted from curfews, shelter-in-place orders and similar restrictions on movement.

Harmonize state and local guidance. Both state and local governments in certain jurisdictions have issued overlapping—and occasionally conflicting—orders, creating a complex regulatory environment for employers to navigate.2 The guidance encourages local governments, whenever possible, to adopt their state's specific guidance on essential workers "to reduce potential complications" when workers cross jurisdictional boundaries. Short of that, local governments are encouraged to align their movement restrictions with those of neighboring jurisdictions, again to "reduce the burden of cross-jurisdictional movement" of critical workers. (The guidance remains silent, however, about how the movement of essential workers across state lines should be resolved.)

III. Industry-Specific Changes

CISA 3.0 also recognizes changing industry-specific needs for pandemic response. The new guidance frequently clarifies that workers in businesses supporting "essential functions," for example, workers in the supply chain for manufacturing, along with maintenance operations, are also deemed essential workers. Moreover, a strong theme in CISA 3.0—echoing CISA 2.0—is the broadening definition of essential workers in the energy and healthcare sectors, underscoring CISA's view of the significance of those sectors.

Services and businesses that support essential critical infrastructure. CISA 3.0 continues to emphasize that services and businesses that support essential services should remain open, continuing a trend that began in the prior version.

Healthcare/public health. The guidance expands the healthcare and public health sector to include workers in supportive or ancillary industries, such as vendors and suppliers (e.g., imaging, pharmacy, oxygen services and durable medical equipment). The guidance recognizes that some companies "have shifted production to medical supplies" and specifically includes workers at those new medical supply manufacturers. Further, the guidance includes new examples of covered public health and environmental health workers, including "workers specializing in environmental health that focus on implementing environmental controls, sanitary and infection control interventions, healthcare facility safety and emergency preparedness planning, engineered work practices, and developing guidance and protocols for appropriate PPE to prevent COVID-19 disease transmission." The environmental health workers addition is of particular note, as the federal Environmental Protection Agency (EPA) has recently issued policies authorizing waiver of environmental enforcement for certain instances of environmental noncompliance.3  

Energy. The guidance adds several categories of essential energy sector workers. For example, CISA 3.0 adds workers who are needed to "construct, manufacture, repair, transport, and permit" energy infrastructure—now expressly including pipelines—as well as workers needed to maintain the safety of the energy system and those involved in logistics in the energy sector. The guidance also adds as essential those workers providing services related to energy sector fuels, including "all workers" in the petroleum and natural gas industries, as well as workers supporting natural resources industries, such as mining. A subcategory of the energy sector is the electricity industry, and the guidance broadly designates all employees in the electricity industry as essential, and specifically highlights workers who maintain utility telecommunications.

Transportation and logistics. The guidance adds as essential workers those critical to "the manufacturing, distribution, sales, ... repair, and maintenance of vehicles and other transportation equipment (including electric vehicle charging stations) and the supply chains that enable these operations to facilitate continuity of travel-related operations for essential workers." The prior version of the guidance included only "rental" and "leasing" of such vehicles and equipment. The guidance also expands the maritime transportation workers category, lists additional types of covered manufacturers and distributors (including a catchall for those who support "other infrastructure needs"), and specifically defines as essential workers those who supply equipment and materials for maintenance of transportation equipment. 

Public works and infrastructure support services. The guidance deems as essential workers those who support "the construction, maintenance, or rehabilitation of critical infrastructure," as well as workers "supporting construction materials production, testing laboratories, material delivery services, and construction inspection." The guidance thus applies broadly to construction workers in the public works and infrastructure sector, which is not aligned with some state and local orders, such as those in New York, Boston and San Francisco, restricting all but "essential" construction, such as construction of hospitals or shelters. 

Communications and information technology. The guidance specifies that essential workers responsible for infrastructure construction and restoration includes those involved in "permitting" activities, and clarifies that addressing customer needs is among the essential functions of retail customer service personnel at critical service center locations.

Other community- or government-based operations and essential functions. CISA 3.0 clarifies that employees and contractors who support radio, print, internet, and television news and media services are essential workers, even if not directly covered in the communications and information technology sector. The guidance also adds as essential workers those who support permitting for essential critical infrastructure workers and their operations and workers at testing centers for emergency medical services and other healthcare workers. 

Commercial facilities. The guidance broadly adds workers who "accept, store, and process goods, and that facilitate their transportation and delivery" to the list of essential workers in the e-commerce industry. The guidance also adds workers supporting the operations of commercial buildings that are critical to safety, security and the continuance of essential activities, such as on-site property managers, building engineers, security staff, fire safety directors, janitorial personnel, and service technicians such as mechanical and HVAC technicians, plumbers, electricians, and elevator technicians. In addition, CISA 3.0 now defines as essential management and staff at hotels and other temporary lodging facilities that provide COVID-19 mitigation, containment and treatment measures or provide accommodations for essential workers.

Critical manufacturing. The guidance expands essential workers in this sector to include those necessary for manufacturing metals for the aerospace industry, and those manufacturing or providing parts and equipment that enable the maintenance and continued operation of essential businesses and facilities.

Financial services. CISA 3.0 adds public accounting and lockbox banking to the categories of financial services deemed essential.  

For the complete set of changes in CISA 3.0, please refer to the attached chart comparing CISA 3.0 with CISA 2.0. 

IV. Conclusion 

CISA 3.0 reflects lessons learned in the past month of pandemic response, and a shift to the next phase of that response. Many states have incorporated or referred to prior versions of the CISA guidance in their existing orders and guidance, and they are likely to do so as well with CISA 3.0. However, because the CISA guidance is itself nonbinding, it is important that businesses remain alert to varying or even divergent state and local orders. To that end, WilmerHale is closely monitoring developments at the state and local levels throughout the country. If you have any questions, or require assistance interpreting the CISA guidance or any applicable state and local orders, please feel free to reach out to this alert's authors or any lawyer at WilmerHale. 

Footnotes

1. CISA was established by the Cybersecurity and Infrastructure Security Agency Act of 2018 to protect the nation's critical infrastructure from physical and cyber threats.

2. On April 15, WilmerHale issued a client alert discussing the issues presented by state work-from-home and shelter-in-place orders, including the interaction between state and local orders.

3.On April 1 and April 16, WilmerHale issued client alerts discussing these EPA policies. 

Article originally published on 20 April 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.