What happened
The Cybersecurity and Infrastructure Security Agency plans to overhaul how it assesses cyber vulnerabilities and threats, with a greater focus on prioritizing some risks over others.
Acting Director Nick Andersen said CISA needs to become more effective in an environment where cyber risks are increasing. A binding operational directive being released Wednesday will direct federal agencies to change the way they address vulnerabilities by elevating some risks while putting others to the side.
The directive will address whether patching windows need to be shortened and, if so, by how much. It will also direct agencies to change their vulnerability management protocols overall.
CISA is moving away from the older approach of treating vulnerability management as a simple matter of applying every patch as quickly as possible after release. Instead, the agency wants organizations to focus more on the risk associated with each vulnerability, including whether the affected asset is internet-exposed, whether the vulnerability aligns with a known exploited vulnerability, and whether exploitation can be automated.
Andersen said CISA also needs to take a more detailed approach to critical infrastructure risk. The agency already has tools for prioritization, including the Section 9 protocol, which designates entities where a cybersecurity incident could have catastrophic impact. However, Andersen said the existing approach has not been effective enough.
Rather than relying on broad designations, CISA wants to identify the specific functions that make an organization critical, the specific assets that support those functions, and the level of resilience needed for those assets. Andersen said the agency needs to move from broad intelligence conversations to a more fine-grained approach.
He used banking as an example, saying CISA should prioritize whether a bank’s bulk payment system is resilient rather than focusing on whether a single branch can operate after a cyberattack.
The shift comes as CISA has faced constraints from a government shutdown and mass layoffs. Andersen said the agency is addressing staffing shortages and plans to bring on more than 300 new people, with 180 expected to be hired by the end of the month. The first wave of hiring will focus on infrastructure security, emergency communications, and state cybersecurity coordinators in local regions.
Who is affected
Federal agencies will be directly affected by the new binding operational directive, which will change how they prioritize vulnerabilities, patching windows, and vulnerability management protocols.
Critical infrastructure entities may also be affected as CISA moves toward more detailed discussions about which functions and assets are most important to national resilience. Organizations operating systems that support essential services, such as telecommunications, clean drinking water, banking, emergency communications, and other critical functions, may face greater scrutiny around how they identify and protect their most important assets.
CISOs in both government and critical infrastructure should expect more emphasis on risk-based prioritization instead of treating every vulnerability and every asset as equal.
Why CISOs should care
This shift changes the vulnerability management conversation from speed alone to risk-based decision-making. CISA is not simply asking organizations to patch faster. It is asking them to determine which vulnerabilities matter most based on exposure, exploitation status, automatable attack paths, and the importance of the affected asset.
For CISOs, that matters because most security teams operate with limited staff, limited time, and large patch backlogs. A risk-based model gives security leaders a clearer way to justify why certain vulnerabilities, systems, and business functions receive priority over others.
The critical infrastructure angle is also important. CISA is moving toward a more specific view of resilience, focused on the functions and assets that support essential services. That means organizations may need to show not just that they are generally secure, but that the systems supporting their most critical functions have measurable resilience.
3 practical actions
- Recalibrate vulnerability management around risk, not just patch release dates: CISA is moving away from a model that treats every patch as equally urgent. CISOs should prioritize vulnerabilities based on internet exposure, known exploitation, exploit automation, asset criticality, and the business or public function supported by the affected system.
- Map critical functions to the assets that support them: CISA wants to identify the specific functions that make organizations critical and the specific assets that support those functions. Security teams should map essential business or infrastructure functions to applications, systems, data flows, and dependencies so resilience efforts can focus on what matters most.
- Prepare for shorter or more targeted patching windows: The upcoming directive will address whether patching windows need to be shortened and how vulnerability management protocols should change. CISOs should review current patch timelines, exception processes, and compensating controls to determine whether high-risk vulnerabilities can be remediated faster.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.