CISA to reevaluate risk prioritization for critical infrastructure and federal agencies

As noted by CyberScoop, the Cybersecurity and Infrastructure Security Agency (CISA) is planning a significant overhaul of its approach to prioritizing risks and vulnerabilities. This initiative will encompass both privately-owned critical infrastructure and federal government systems, according to Acting Director Nick Andersen.

CISA is set to release a binding operational directive for federal agencies, aiming to revise vulnerability management practices. Instead of a blanket approach to patching, the directive will encourage a risk-based focus, considering factors like internet exposure, exploitation automation, and alignment with CISA's Known Exploited Vulnerabilities (KEV) catalog. Andersen emphasized the need to differentiate the importance of various vulnerabilities and patches. This strategic shift is partly influenced by the evolving threat landscape, including AI-enhanced attacks, which shorten the timeline for exploitation.

The agency also aims to provide more specific guidance to critical infrastructure owners and operators on protecting their most vital assets. This move comes as CISA works to rebuild its capacity, with plans to hire hundreds of new personnel and overcome past challenges, including those posed by government shutdowns that have delayed key initiatives like the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

Source: CyberScoop