As someone who is involved in compliance in these industries, I would be surprised to see CISA having anything close to the impact you described.
All I see are watered down checklists that can be verified by any human being who is semi-literate and may or may not have any relevance to security best practices. They probably were influenced on some level by CISA guidance if you're talking about .gov or commercial entities, but is nowhere near the level of impact you mentioned.
Do you have any examples of CISA guidelines having a meaningful impact on business operations?
All I see are watered down checklists that can be verified by any human being who is semi-literate and may or may not have any relevance to security best practices. They probably were influenced on some level by CISA guidance if you're talking about .gov or commercial entities, but is nowhere near the level of impact you mentioned.
Do you have any examples of CISA guidelines having a meaningful impact on business operations?