CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector
The Cybersecurity and Infrastructure Agency wants to fundamentally reevaluate how it prioritizes risks and vulnerabilities, both for privately-owned critical infrastructure and within the federal government, acting director Nick Andersen said Tuesday.
The plans include a binding operational directive for federal agencies set to be published Wednesday and getting more specific with critical infrastructure owners and operators about which assets they need to protect most and how, Andersen said while speaking at an event hosted by Axonius in Washington, D.C. and talking with reporters afterwards.
The binding operational directive looks to revise how federal agencies do vulnerability management, he said. “Overall, our approach to date has been ‘A patch is released, apply this patch as quickly as you can,’” he said.
“We’re really asking people to take more of a focus on risk associated with each vulnerability. Is it with an asset that is internet-exposed? Does it align to a KEV entry?” he said, referring to CISA’s list of known exploited vulnerabilities. “Is it automatable in its exploitation? Really, we need to be able to highlight that some patches just aren’t as important as others, and plugging the holes for some vulnerabilities is simply not as important as others.”
Andersen said he has made setting the right priorities the focus of his tenure.
“We have to be okay with saying there are some systems that are less important than others, there are some elements of critical infrastructure that are less important than others,” he said. “Those things are very easy for us to rationalize [for] physical crises, but we need to start wrapping our minds around how we’re going to do that during cyber crises.”
Andersen said artificial intelligence-enhanced threats have fueled the directive in part, based on “a recognition that we’re a different dynamic environment with the shorter timeline to weaponization and exploitation,” but the discussions on the directive have been going on for months, before the splashy announcements about frontier AI models and the risks they might deepen. Wednesday’s directive is unrelated to the AI-focused executive order released by the Trump administration last week.
The idea of prioritizing certain potential hacking targets over others isn’t a new one in critical infrastructure, with concepts like “Section 9” designations under a 2013 executive order for entities whom an attack upon could have catastrophic effects; “systemically important critical infrastructure” designations, as recommended by the Cyberspace Solarium Commission; or the creation of the National Risk Management Center established during President Donald Trump’s first term but now the subject of proposed budget cuts.
Andersen said past concepts haven’t worked well, citing Section 9 designations as an example.
“We would sit here and say, ‘Congratulations, you’re with this company, and you’re a Section 9 entity, isn’t that fantastic?’” he said. “That’s really not the level of fidelity that we have to be able to get to to have a real measurable conversation about risk. I need to be able to go to a company and say, ‘Here’s the specific function you’re supporting that makes you more critical. Let’s have a conversation about the specific assets that support that function, and how do we get to a measurable level of resilience for those assets?’”
Those discussions need to get down to a “fine grain,” Andersen said.
“If I’ve got a major bank that I’m talking to, is it as important to me that the bank’s process that supports the bulk payment system is resilient, or is it just as important to me that the branch location two blocks away is continuing to operate?” he said. “Those things just are apples and oranges, even though it’s the same entity that might be affected.”
CISA’s capabilities under the Trump administration have drawn considerable scrutiny, given deep budget cuts at the agency, with more planned. The administration is now making moves to hire back personnel.
Andersen said the agency is working to hire 329 people, and will have job offers out to 182 of them by the end of June. He said the emphasis of the first tranche of hires under the hiring sprint is operational capabilities, meaning areas like emergency communications, infrastructure security and regional personnel.
The agency also has had some of its work hampered by the government shutdowns, such as the delay in plans for town-hall meetings about implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require key owners and operators to report major incidents within 72 hours.
Andersen said he couldn’t set a date for finalization of regulations related to the law — which had already been delayed prior to any funding lapses — with those town halls now scheduled to begin next week.
“We could have a lot of comments that come to us and really radically change our way of thinking about what the need is here,” he said. “But our focus is just on what’s the original congressional intent behind CIRCIA. what is the greatest need that we’re going to be able to serve, and how it’s going to be able to further the mission that we have for the nation.”
