"A patch is released, apply this patch as quickly as you can," acting director Nick Andersen said, and then added the part he believes must change: the federal government and critical infrastructure owners need to prioritize which patches matter most.
Nick Andersen's approach to vulnerability prioritization
Acting director Nick Andersen told an Axonius-hosted event in Washington, D.C., and reporters afterward that CISA intends to "fundamentally reevaluate" how it prioritizes risks and vulnerabilities across both privately owned critical infrastructure and the federal government. Andersen said he has made setting the right priorities "the focus of his tenure" and that the agency must be willing to accept that "there are some systems that are less important than others" when a cyber crisis hits.
Binding Operational Directive for federal agencies
CISA plans to publish a binding operational directive for federal agencies aimed at revising how agencies conduct vulnerability management. Andersen described the current norm as reactive—patches released, then widely applied—and said the directive will push agencies to "take more of a focus on risk associated with each vulnerability." He emphasized evaluating whether a vulnerability is internet-exposed, whether it aligns to an entry on CISA’s Known Exploited Vulnerabilities (KEV) list, and whether exploitation is automatable.
Known Exploited Vulnerabilities (KEV) and patch triage
Andersen framed the directive around sharper triage of vulnerabilities: some patches merit urgent application, others do not. He said CISA needs to "highlight that some patches just aren’t as important as others, and plugging the holes for some vulnerabilities is simply not as important as others." The KEV list is explicitly called out as a reference point for assessing which fixes should receive highest priority, alongside exposure and automation in exploitation.
Fine-grain critical-infrastructure conversations: Section 9, Solarium, NRMC
Andersen argued past attempts to single out critical entities have lacked the necessary fidelity. He cited "Section 9" designations under a 2013 executive order as an example of a classification that did not produce the detailed, measurable conversations CISA needs. He also referenced proposals such as "systemically important critical infrastructure" from the Cyberspace Solarium Commission and the creation of the National Risk Management Center during President Donald Trump's first term — noting that the NRMC is now the subject of proposed budget cuts. Andersen said CISA will go beyond naming whole companies by instead identifying "the specific function you’re supporting that makes you more critical" and the assets that support that function, with the aim of achieving "a measurable level of resilience for those assets."
Hiring sprint, shutdown delays, and CIRCIA town halls
CISA's capacity is a recurring theme. Andersen acknowledged the agency's efforts to rebuild operational strength after budget and staffing challenges under the Trump administration, saying CISA is working to hire 329 people and will have job offers out to 182 of them "by the end of June." He said the first tranche of hires prioritizes operational capabilities such as emergency communications, infrastructure security and regional personnel.
Andersen also said government shutdowns have hampered CISA’s work, delaying town-hall meetings tied to implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Those town halls are now "scheduled to begin next week," Andersen said, and CIRCIA will require key owners and operators to report major incidents within 72 hours. He declined to set a date for finalization of CIRCIA regulations, noting that public comments from the town halls "could... radically change our way of thinking about what the need is here."
How technologists, agencies, and critical infrastructure owners will respond
- Technologists and security teams: They will need to shift from a blanket "apply all patches immediately" posture to prioritizing fixes that are internet-exposed, KEV-listed, or amenable to automated exploitation — consistent with the new directive Andersen described.
- Federal agencies and procurement leaders: Agencies will have to revise vulnerability-management processes to meet the forthcoming binding operational directive, and they will be watched for how they incorporate risk-focused triage into operational practice.
- Critical infrastructure owners and operators: Andersen signaled CISA will press for "fine grain" conversations — identifying specific functions and the assets that support them — rather than broad, entity-level designations; those operators should expect requests to map functions and measurable resilience goals.
Andersen framed artificial intelligence-enhanced threats as a partial driver of the push for faster, more precise prioritization, saying there is "a recognition that we’re a different dynamic environment with the shorter timeline to weaponization and exploitation." He was careful to note, however, that discussions on the directive preceded recent high-profile AI announcements and that Wednesday’s directive is "unrelated to the AI-focused executive order released by the Trump administration last week."
The immediate milestones Andersen identified are concrete: publication of the binding operational directive, town halls on CIRCIA beginning next week, and active hiring with offers scheduled to be extended to 182 candidates by the end of June. Those steps will test whether CISA can translate a new prioritization philosophy into the "measurable" resilience he seeks for the nation's most critical cyber functions.
