CISA Overhauls Federal Cyber Risk Model With New Directive

CISA this week directed federal agencies to prioritize vulnerability remediation based on exploitation risk rather than treating all vulnerabilities equally, marking a significant shift in how civilian agencies manage cyber risk.

“[The] directive is going to change some of our approach to thinking about management of risk and management of vulnerabilities for us,” acting CISA Director Nick Andersen said Tuesday at an Axonius event.

The directive establishes a risk-based prioritization framework that weighs four factors: whether an asset is internet-accessible, whether the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, whether exploitation can be automated and the level of control an attacker would gain after compromise.

It also mandates continuous monitoring of exploited vulnerabilities, automated reporting through the Continuous Diagnostics and Mitigation program, expanded asset inventory requirements and risk-based remediation timelines that can require agencies to address the highest-risk vulnerabilities within days rather than months.

“This approach focuses patching efforts on the areas of highest risk rather than treating all vulnerabilities and systems equally,” the directive reads.

Adopting ‘Ruthless Prioritization’

The shift comes as Iranian threat actors target vulnerable internet-facing systems and operational technology.

“We’re seeing … Iranian threat actors targeting operational technology …, and the sort of opportunistic engagement that we saw from them or if we see more advanced actors that are targeting our enterprise IT equipment,” Andersen said. “These are all opportunities where we have to make hard decisions today.”

Rather than attempting to secure every asset equally, CISA is adopting what he described as a model of “ruthless prioritization” that focuses resources on the systems and infrastructure most critical to public safety and national security.

“We have to be okay with saying there are some systems that are less important than others and there are some elements of critical infrastructure that are less important than others,” Andersen said.

He added that the true measure of a cyber catastrophe is not system downtime or missed service-level agreements, but the real-world consequences that occur when critical infrastructure systems fail.

“I need a hospital to be able to continuously operate without thinking about ‘what is my minimum generator based backup network?’” Andersen said. “It’s not about a service disruption, it’s not about technology disruption, it’s about a real impact on people’s lives.”

The directive notes that networks face increasingly sophisticated cyber campaigns — many driven by nation-state actors and accelerated by adversarial use of AI. CISA warned that attackers are exploiting known vulnerabilities faster than agencies can patch them, narrowing defenders’ reaction time and raising the stakes for federal systems that support critical services.

“Cyber threat actors exploit unpatched vulnerabilities, and their use of AI may further narrow the time defenders have to react between patch release and possible exploitation,” the directive reads.

The Schedule

The directive outlines a phased rollout intended to move agencies from traditional vulnerability management practices toward a threat-informed, risk-based remediation model:

• Phase 1 (effective immediately): Agencies must update vulnerability management policies and procedures to align with the directive, continuously monitor the KEV catalog, automate reporting through the Continuous Diagnostics and Mitigation program where possible and establish internal accountability for remediation efforts.
• Phase 2 (within 60 days): Agencies must update vulnerability management processes to support ongoing remediation of vulnerabilities identified through both the Common Vulnerabilities and Exposures database and CISA’s KEV catalog.
• Phase 3 (within 180 Days): Agencies must remediate vulnerabilities according to the directive’s risk-based prioritization framework and prescribed remediation timelines, while continuously identifying and tagging internet-reachable assets and reporting that information to CISA.

Gathering Feedback

CISA is launching a series of nationwide town halls this month to gather substantive feedback from industry partners regarding cyber incident reporting and information-sharing initiatives, Andersen said. Though BODs are not mandatory for industry partners, Andersen said that the entire ecosystem must adapt immediately to emerging threats against critical infrastructure and manage risk accordingly.

“I’m hoping it’s going to provide us the opportunity to … visualize and manage risk in a significant way, to be able to calculate further the risk and the threat associated with critical infrastructure, and to be able to make some of those tough decisions as we continue going forward, to remediate vulnerabilities in a significant way,” Andersen said.