CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector | CyberScoop<\/title> <meta name=\"description\" content=\"CISA is shifting federal agencies and critical infrastructure away from blanket patching toward targeted cyber risk prioritization, acting director Nick Andersen says.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-cyber-risk-prioritization-vulnerability-directive\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector\"> <meta property=\"og:description\" content=\"CISA is shifting federal agencies and critical infrastructure away from blanket patching toward targeted cyber risk prioritization, acting director Nick Andersen says.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-cyber-risk-prioritization-vulnerability-directive\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-06-09T16:27:49+00:00\"> <meta property=\"article:modified_time\" content=\"2026-06-09T16:27:51+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1440\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1778775768g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1781013611g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/89339\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=89339\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-cyber-risk-prioritization-vulnerability-directive%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-cyber-risk-prioritization-vulnerability-directive%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-89339 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-cyber-risk-prioritization-vulnerability-directive\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.229946524064\">\n<div class=\"single-article__header-content\" readability=\"35.701754385965\">\n<p> Acting director Nick Andersen said a binding operational directive is en route for agencies, and that more specific discussions need to happen with critical infrastructure owners. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/89339\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"480\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector.jpg?resize=640%2C480&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=300,225 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=768,576 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=1024,768 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=1536,1152 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=600,450 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=224,168 224w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=449,337 449w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=900,675 900w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-2.jpg?resize=1124,843 1124w\" sizes=\"(max-width: 900px) 100vw, 900px\"><figcaption> Nick Andersen, CISA acting director, at the Axonius Adapt In Action 2026 event. (Tim Starks, CyberScoop) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"49.904606910366\"><body readability=\"105.40873605948\"><\/p>\n<p>The Cybersecurity and Infrastructure Agency wants to fundamentally reevaluate how it prioritizes risks and vulnerabilities, both for privately-owned critical infrastructure and within the federal government, acting director Nick Andersen said Tuesday.<\/p>\n<p>The plans include a binding operational directive for federal agencies set to be published Wednesday and getting more specific with critical infrastructure owners and operators about which assets they need to protect most and how, Andersen said while speaking at an event hosted by Axonius in Washington, D.C. and talking with reporters afterwards.<\/p>\n<p>The binding operational directive looks to revise how federal agencies do vulnerability management, he said. \u201cOverall, our approach to date has been \u2018A patch is released, apply this patch as quickly as you can,\u2019\u201d he said.<\/p>\n<p>\u201cWe\u2019re really asking people to take more of a focus on risk associated with each vulnerability. Is it with an asset that is internet-exposed? Does it align to a KEV entry?\u201d he said, referring to CISA\u2019s list of <a href=\"https:\/\/cyberscoop.com\/tag\/known-exploited-vulnerabilities-kev\/\">known exploited vulnerabilities<\/a>. \u201cIs it automatable in its exploitation? Really, we need to be able to highlight that some patches just aren\u2019t as important as others, and plugging the holes for some vulnerabilities is simply not as important as others.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Andersen said he has made setting the right priorities the focus of his tenure.<\/p>\n<p>\u201cWe have to be okay with saying there are some systems that are less important than others, there are some elements of critical infrastructure that are less important than others,\u201d he said. \u201cThose things are very easy for us to rationalize [for] physical crises, but we need to start wrapping our minds around how we\u2019re going to do that during cyber crises.\u201d<\/p>\n<p>Andersen said artificial intelligence-enhanced threats have fueled the directive in part, based on \u201ca recognition that we\u2019re a different dynamic environment with the shorter timeline to weaponization and exploitation,\u201d but the discussions on the directive have been going on for months, before the splashy announcements about frontier AI models and the risks they might deepen. Wednesday\u2019s directive is unrelated to the <a href=\"https:\/\/cyberscoop.com\/donald-trump-white-house-ai-executive-order-scaled-back\/\">AI-focused executive order<\/a> released by the Trump administration last week.<\/p>\n<p>The idea of prioritizing certain potential hacking targets over others isn\u2019t a new one in critical infrastructure, with concepts like <a href=\"https:\/\/cyberscoop.com\/critical-infrastructure-memorandum-ppd-21\/\">\u201cSection 9\u201d<\/a> designations under a 2013 executive order for entities whom an attack upon could have catastrophic effects; <a href=\"https:\/\/cyberscoop.com\/sici-easterly-katko-psies-csis-cisa\/\">\u201csystemically important critical infrastructure\u201d<\/a> designations, as recommended by the Cyberspace Solarium Commission; or the creation of the <a href=\"https:\/\/cyberscoop.com\/dhs-risk-management-center\/\">National Risk Management Center<\/a> established during President Donald Trump\u2019s first term but now the subject of <a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-trump-budget-fy2027-details\/816855\/\">proposed budget cuts<\/a>.<\/p>\n<p>Andersen said past concepts haven\u2019t worked well, citing Section 9 designations as an example.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe would sit here and say, \u2018Congratulations, you\u2019re with this company, and you\u2019re a Section 9 entity, isn\u2019t that fantastic?\u2019\u201d he said. \u201cThat\u2019s really not the level of fidelity that we have to be able to get to to have a real measurable conversation about risk. I need to be able to go to a company and say, \u2018Here\u2019s the specific function you\u2019re supporting that makes you more critical. Let\u2019s have a conversation about the specific assets that support that function, and how do we get to a measurable level of resilience for those assets?\u2019\u201d<\/p>\n<p>Those discussions need to get down to a \u201cfine grain,\u201d Andersen said.<\/p>\n<p>\u201cIf I\u2019ve got a major bank that I\u2019m talking to, is it as important to me that the bank\u2019s process that supports the bulk payment system is resilient, or is it just as important to me that the branch location two blocks away is continuing to operate?\u201d he said. \u201cThose things just are apples and oranges, even though it\u2019s the same entity that might be affected.\u201d<\/p>\n<p>CISA\u2019s capabilities under the Trump administration have drawn considerable scrutiny, given deep budget cuts at the agency, with <a href=\"https:\/\/cyberscoop.com\/hill-dems-hammer-gop-for-250m-cisa-budget-cut\/\">more planned<\/a>. The administration is now making moves to <a href=\"https:\/\/cyberscoop.com\/dhs-secretary-markwayne-mullin-pinpoints-optimal-cisa-staffing-levels\/\">hire back personnel<\/a>.<\/p>\n<p>Andersen said the agency is working to hire 329 people, and will have job offers out to 182 of them by the end of June. He said the emphasis of the first tranche of hires under the hiring sprint is operational capabilities, meaning areas like emergency communications, infrastructure security and regional personnel.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The agency also has had some of its work hampered by the government shutdowns, such as the delay in plans for town-hall meetings about implementation of the <a href=\"https:\/\/cyberscoop.com\/tag\/circia\/\">Cyber Incident Reporting for Critical Infrastructure Act<\/a> of 2022, which will require key owners and operators to report major incidents within 72 hours.<\/p>\n<p>Andersen said he couldn\u2019t set a date for finalization of regulations related to the law \u2014 which had already been delayed prior to any funding lapses \u2014 with those town halls now scheduled to begin <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/cisa-announces-revised-town-hall-schedule-engage-stakeholders-cyber-incident-reporting-critical\">next week<\/a>.<\/p>\n<p>\u201cWe could have a lot of comments that come to us and really radically change our way of thinking about what the need is here,\u201d he said. \u201cBut our focus is just on what\u2019s the original congressional intent behind CIRCIA. what is the greatest need that we\u2019re going to be able to serve, and how it\u2019s going to be able to further the mission that we have for the nation.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-cyber-risk-prioritization-vulnerability-directive\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA is rethinking how it prioritizes risks and vulnerabilities for<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,384,5925,1112,1794,413,1126,452,594,1599,117,2091,2560,439,6836,290,2390,506],"tags":[236,388,5926,1113,1795,415,1128,454,596,1601,119,2093,2576,443,6837,296,2394,507],"class_list":["post-8731","post","type-post","status-publish","format-standard","hentry","category-ai","category-artificial-intelligence-ai","category-binding-operational-directive","category-budget","category-circia","category-critical-infrastructure","category-cyber-workforce","category-cybersecurity-and-infrastructure-security-agency-cisa","category-cyberspace-solarium-commission","category-executive-order","category-government","category-national-risk-management-center","category-nick-andersen","category-policy","category-sici","category-trump-administration","category-vulnerability-management","category-workforce","tag-ai","tag-artificial-intelligence-ai","tag-binding-operational-directive","tag-budget","tag-circia","tag-critical-infrastructure","tag-cyber-workforce","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-cyberspace-solarium-commission","tag-executive-order","tag-government","tag-national-risk-management-center","tag-nick-andersen","tag-policy","tag-sici","tag-trump-administration","tag-vulnerability-management","tag-workforce"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence-ai\/\" rel=\"category tag\">artificial intelligence (AI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/binding-operational-directive\/\" rel=\"category tag\">Binding Operational Directive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/budget\/\" rel=\"category tag\">budget<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/circia\/\" rel=\"category tag\">CIRCIA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/critical-infrastructure\/\" rel=\"category tag\">critical infrastructure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-workforce\/\" rel=\"category tag\">cyber workforce<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyberspace-solarium-commission\/\" rel=\"category tag\">Cyberspace Solarium Commission<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/executive-order\/\" rel=\"category tag\">Executive order<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-risk-management-center\/\" rel=\"category tag\">National Risk Management Center<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nick-andersen\/\" rel=\"category tag\">Nick Andersen<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sici\/\" rel=\"category tag\">SICI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/trump-administration\/\" rel=\"category tag\">Trump administration<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-management\/\" rel=\"category tag\">Vulnerability Management<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/workforce\/\" rel=\"category tag\">workforce<\/a>","tag_info":"workforce","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8731"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8731\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8731,"date":"2026-06-09T11:27:49","date_gmt":"2026-06-09T16:27:49","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=89339"},"modified":"2026-06-09T11:27:49","modified_gmt":"2026-06-09T16:27:49","slug":"cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/06\/09\/cisa-is-rethinking-how-it-prioritizes-risks-and-vulnerabilities-for-feds-private-sector\/","title":{"rendered":"CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector"},"content":{"rendered":"