The Cybersecurity and Infrastructure Security Agency (CISA) plans to overhaul how it assesses cyber vulnerabilities and threats, prioritizing some over others in order to be more effective in an environment where risks are spiking, the agency’s Acting Director Nick Andersen said Tuesday.

A binding operational directive being released Wednesday will integrate this new thinking, directing federal agencies to change the way they address vulnerabilities by elevating some while putting others to the side. CISA also plans to drill down with critical infrastructure entities on how they are prioritizing their responses to cyber threats.

“We have to be okay with saying there are some systems that are less important than others, there are some elements of critical infrastructure that are less important than others,” Andersen said at a Washington, D.C. event hosted by the cybersecurity firm Axonius.

If such calculations are not made, Andersen said, an overstretched CISA will have to explain to the public “why it is without telecommunications infrastructure for a significant amount of time, why we don't have access to clean drinking water or why we don't have access to the things that we just rely upon to live our lives at a very basic level.”

The binding operational directive will address whether patching windows need to be shortened, and if so by how much. It will also direct federal agencies to change their vulnerability management protocols overall, Andersen said.

The biggest takeaway from the directive is that CISA is moving away from an outmoded historical approach of “the patch is released, apply this patch as quickly as you can,” Andersen said. 

“We're really asking people to take more of a focus on risk associated with each vulnerability,” he added. “Is it with an asset that is internet exposed? Does it align to a [known exploited vulnerability]? Is it automatable in its exploitation?”

A ‘fine grade’ approach

CISA already has several functions in place to determine how vulnerabilities are prioritized, but Andersen suggested they are not as successful as they need to be.

For example, he said the agency's existing Section 9 protocol — designating entities where a cybersecurity incident could have a catastrophic impact — is an example of a measure that has not been effective enough. In the past, CISA has effectively congratulated operators for receiving a Section 9 designation without asking detailed follow-up questions, Andersen said.

CISA needs to be able to “go to a company and say, ‘Here's the specific function you're supporting that makes you more critical. Let's have a conversation about the specific assets that support that function, and how do we get to a measurable level of resilience for those assets?” Andersen said.

What have historically been “broad intelligence conversations” need to “get down to a fine grade,” according to Andersen. For example, he said, CISA needs to prioritize that a given bank’s bulk payment system is solid as opposed to worrying about whether a single branch can operate after a cyberattack.

CISA has been constrained recently by a government shutdown and mass layoffs, but Andersen said the agency is addressing staffing shortages. The agency plans to bring on over 300 new people, with 180 of them being hired by the end of this month, Andersen said.

The initial wave of hiring will focus on replenishing CISA’s pool of employees working on infrastructure security, emergency communications and in local regions as state cybersecurity coordinators.

Some of the new employees already have begun working, Andersen said.