"Be okay with saying there are some systems that are less important than others," Cybersecurity and Infrastructure Security Agency acting director Nick Andersen told an audience at a cybersecurity event, bluntly summarizing the trade-offs behind a new, binding federal directive set to be released on Wednesday.
Nick Andersen: prioritize impact, not raw counts of vulnerabilities
Andersen framed the pending directive as a pivot away from counting every known flaw toward assessing which vulnerabilities pose the gravest risks if exploited. Speaking at a Tuesday event hosted by cybersecurity firm Axonius, he cautioned that treating every system as equally important leaves agencies unable to protect what matters most. "If we try to say that everything is equally as important, then absolutely nothing’s going to be important," he said, adding that officials will one day be held accountable if they fail to make hard choices: "It’s going to be really hard for us, if one day we have to have those hard conversations with people about how we knew better and how we didn’t prioritize risk appropriately, how we didn’t make the hard choices."
The directive: a binding mandate to rethink federal cyber risk management
The Cybersecurity and Infrastructure Security Agency plans to publish a binding directive that instructs the federal government to rethink how it manages network risk and to prioritize vulnerabilities that "demand the most urgency," Andersen said. The guidance is explicitly designed to acknowledge limits on resources and to force agencies to focus on vulnerabilities and networks whose compromise could inflict the greatest damage, rather than attempting across-the-board patch mandates that many organizations cannot sustain.
AI-backed cyber threats, Anthropic’s Mythos, and a faster exploitation timeline
On the sidelines of the event Andersen told reporters that AI-backed cyber threats are one factor shaping the directive, though he said CISA’s work on the AI ecosystem predates the release of systems such as Anthropic’s Mythos. Andersen described a changing dynamic in which advanced models can rapidly identify vulnerabilities across networks, compressing the time between disclosure and exploitation. "Is the [directive] a recognition that we’re in a different dynamic environment with a shorter timeline to weaponization and exploitation? Yeah, that’s certainly a part of it," he said, while also noting the agency had been discussing an "ever-shrinking window" for addressing vulnerabilities well before recent developments.
Federal agencies, critical infrastructure sectors, and the reality of limited resources
The directive arrives against a backdrop in which federal systems remain frequent targets: adversaries have compromised government systems for access to emails, employee records and other sensitive data, the article notes. Federal IT staff must also weigh how disruptions could ripple through sectors the government oversees — energy, healthcare, telecommunications and water — increasing the potential consequences of certain breaches. Andersen highlighted that many organizations lack the resources to maintain a continuous patch cycle and that it is "too exceedingly easy" for malicious actors to exploit published vulnerabilities quickly.
What this means for technologists, policymakers, and federal IT teams
- Technologists and security teams: Expect a shift toward impact-driven triage. Teams will be asked to identify which systems pose the most systemic risk and to accept that some assets will be deprioritized.
- Policymakers and regulators: The directive will force sharper policy choices about acceptable risk and resource allocation, and it may require new standards or criteria to determine which vulnerabilities "demand the most urgency."
- Federal agency IT teams: Agencies will need to reconcile limited staffing and patching capacity with faster, AI-assisted discovery of exploits, and to document the risk-based decisions the directive requires.
The directive compels federal leaders to make explicit choices about what to defend first and what to accept as lower priority — a politically and operationally charged calculus that Andersen warned could produce uncomfortable accountability if left unaddressed. The immediate next step is the release of the binding directive on Wednesday; how agencies translate its prioritization framework into day-to-day patching and incident planning will determine whether the government can narrow the window attackers now exploit.
