The federal Cybersecurity and Infrastructure Security Agency (“CISA”) has substantially updated its guidance  on identifying critical infrastructure workers and activities during the Coronavirus outbreak. Earlier versions of the guidance—commonly referred to by version number as “CISA 2.0,” “CISA 3.0,” and “CISA 3.1”—were widely adopted by government officials around the country, often to carve out exceptions to shelter-in-place orders and other public health measures intended to stem the spread of the virus. CISA 4.0 acknowledges this use of prior versions of CISA guidance, but recommends a different approach—one focused on risk management rather than reopening categories—to CISA 4.0.

CISA designed its earlier guidance “to assist officials and organizations identify essential work functions … to allow essential workers access to their workplaces” during Coronavirus shutdowns. However, CISA intends CISA 4.0 to serve as a tool to identify workers who “require specialized risk management strategies to ensure that they can work safely.” Because of this shift in focus—from determining which workers should be permitted to work during the pandemic to identifying workers who require “specialized risk management strategies”—employers of critical infrastructure workers and operators of public-facing essential businesses should pay careful attention to the guidance contained in CISA 4.0.

CISA recommends a four-prong approach to managing the potential risks of continued work for the essential workers identified in CISA 4.0:

1. Creating a risk categorization methodology for worker safety (including consideration of indoor vs. outdoor workplace settings, physical proximity of workers to each other, the type, duration, and number of contact between workers, high risk factors affecting individual employees, whether screening protocols to protect workers and customers from interactions with contagious people are in place, and the frequency of workplace cleaning and sanitation efforts).
2. Identifying those workers that can potentially transition to working from home based on the lessons learned over the past few months from the unprecedented number of teleworkers.
3. Determining the criticality, uniqueness, or specialty of a worker’s role to reduce the need to be at the workplace or working together in close proximity.
4. Determining the allocation of scarce resources for workers, such as personal protective equipment (PPE), other protection, access to medical evaluation, testing and vaccines.

Like its predecessors, CISA 4.0 “is advisory in nature” and is not itself a binding federal standard. However, whether or not an organization complied with available government guidance for preventing exposure to the coronavirus may become relevant in defending against coronavirus exposure claims. Indeed, the first wave of coronavirus exposure lawsuits filed to date includes claims that a defendant employer or business owner’s failure to follow government health guidelines was itself negligent and caused the plaintiff’s coronavirus infection. Relatedly, the current draft of one federal proposal to limit liability for coronavirus exposure—the SAFE TO WORK Act sponsored by Senator John Cornyn of Texas—would require a plaintiff to prove that a defendant “was not making reasonable efforts in light of all the circumstances to comply with the applicable government standards and guidance in effect at the time….”

It remains to be seen whether a critical mass of courts and state and federal legislatures will treat nonbinding guidelines like those set out in CISA 4.0 as one measure of an essential business’s duty of care to its employees and customers. Nevertheless, both employers of essential workers and owners of public-facing essential businesses should consider whether CISA 4.0’s recommended risk mitigation strategies should be incorporated into their own coronavirus response and prevention programs, and should keep a careful eye on legal developments in this area.

CISA 4.0 is also noteworthy because it adds to CISA’s prior lists of workers and activities deemed to be essential to critical infrastructure functions. This is significant because CISA’s essential worker designations have been broadly incorporated by reference into other government standards. For example, Texas Governor Greg Abbott’s Executive Order GA-28, which sets occupancy limits for many Texas businesses and bans most large gatherings in the state, provides that there is “no occupancy limit for … any services” listed in CISA 3.1 or subsequent versions of that guidance (which includes CISA 4.0). As a result, the new categories of critical infrastructure workers set out in CISA 4.0—including many school and other education workers, port and maritime transportation workers, and certain laboratory and home health care workers—now appear to be exempt from GA-28’s caps on the maximum occupancy of certain reopened businesses.