Under subsection (p) of Section 2209 of the Homeland Security Act, as amended (6 U.S.C. § 659(p)), CISA has the authority to issue administrative subpoenas for the production of information necessary to identify and notify an entity at risk. This authority applies when CISA identifies a system connected to the internet with a specific security vulnerability and has reason to believe the security vulnerability relates to critical infrastructure and affects a covered device or system, but is unable to identify the entity at risk.

The Intercept | Truth Cops, 31 Oct
ppl are US American critical infrastructure, too!

reference
CISA Cybersecurity Advisory Committee, meeting minutes 12.05.22
Protecting Critical Infrastructure from "the MDM space" (merits duplication in Crisis as Discipline, NPI Systems Design 2022 > public service media operators)