On April 22, 2026, the White House issued a Presidential Determination invoking the Defense Production Act of 1950 for grid infrastructure equipment and supply chain capacity. The Secretary of Energy is directed to use federal purchasing power to rebuild domestic production of transformers, high-voltage circuit breakers, protective relay systems, and power electronics. The explicit finding: America's grid "poses an increasing threat to national defense." Foreign adversaries, the determination states, have already exploited its vulnerabilities.
This is not a framework recommendation or a policy paper. It is a procurement directive with legal force and federal budget behind it.
Every federally-directed grid asset will be financed, insured, and eventually litigated
The assets the DPA prioritizes move through a standard capital deployment sequence: procurement, project financing, insurance placement, operation, refinancing. That sequence involves at least three parties who will each arrive at the same question — and currently have no data to answer it.
The project lender writing a construction loan against a new transmission substation needs to understand the OT cyber exposure embedded in that collateral. A transformer integrated into a monitored, segmented OT environment carries a different credit risk profile than one that isn't — and the difference is measurable in dollars. Learn how OT cyber risk fits the infrastructure debt lifecycle — from diligence to refinancing.
The underwriter placing coverage on a federally-prioritized grid asset needs a loss scenario in financial terms — not a maturity score or a heat map. The current OT cyber-physical insurance market is approximately $200 million against a tail exposure of $329.5 billion (Dragos/Marsh McLennan, 2025). Federal capital flowing into critical grid infrastructure does not close that gap — it expands the pool of assets sitting inside it. Read more on the scale of the OT cyber protection gap.
The CFO of an infrastructure fund or asset operator deploying capital into DPA-prioritized infrastructure faces a direct governance question: what is the OT cyber-physical expected annual loss on this asset, and what portion is transferable through insurance? Investment committees are beginning to require evidence-based answers to that question. The evidence does not currently exist for most grid assets.
The DPA does not produce OT cyber risk models
The Defense Production Act addresses supply chain and manufacturing capacity — not the cyber risk profile of the assets it brings into existence. A domestically manufactured transformer is not inherently safer from an OT cyber perspective than an imported one. The risk lies in connectivity, control architecture, and monitoring posture — none of which the DPA directive addresses.
Two weeks before the Presidential Determination, CISA's joint advisory AA26-097A confirmed that Iranian APT actors are already exploiting the exact category of control systems used to manage grid infrastructure — Rockwell/Allen-Bradley PLCs, in water, energy, and government environments, with confirmed operational disruption and financial losses. CISA AA26-097A: Iranian APT is actively exploiting Rockwell PLCs across US critical infrastructure.
The assets the DPA prioritizes are already targeted. The capital markets that will finance and insure them do not yet have the OT cyber risk numbers they need.
What CRQ produces for grid infrastructure
DeRISK CRQ translates the OT cyber exposure of an industrial facility into financial terms: expected annual loss, value at risk at the 95th and 99th percentile, attack vector decomposition mapped to MITRE ATT&CK for ICS, and the quantified ROI of proposed security investments. Those outputs are usable by credit committees, insurance placements, and investment governance — not as a qualitative adjunct to an existing risk process, but as the financial input those processes require.
The Presidential Determination clarified which assets are nationally critical. CRQ provides the financial risk number those assets still lack.