The CISA’s Acting Director Nick Andersen announced Tuesday plans to overhaul how the agency evaluates and prioritizes software vulnerabilities, moving beyond severity scores alone to focus more heavily on real-world risk and operational impact. The agency said the changes are intended to help organizations better prioritize remediation efforts as the volume of disclosed vulnerabilities continues to grow.
Under the new approach, CISA plans to place greater emphasis on factors such as active exploitation, asset criticality, attack complexity, and the potential consequences of a successful attack. Agency officials said the goal is to help defenders focus resources on vulnerabilities that pose the greatest operational risk rather than relying solely on CVSS scores or the total number of disclosed flaws.
The initiative follows broader efforts by CISA to improve vulnerability management programs, including opening nominations for its KEV Catalog and expanding collaboration with security researchers and vendors. Officials said the updated framework is intended to provide organizations with more actionable guidance for addressing the vulnerabilities most likely to affect critical systems and infrastructure.
Denis Calderone, CTO, Suzu Labs:
“A risk-based approach to vulnerability management makes a lot of sense to us, and how we approach vulnerability management with our own clients. CVSS alone has never been a reliable way to decide which vulnerabilities to prioritize. Just in the last two weeks we’ve seen a Palo Alto GlobalProtect vulnerability rated 7.8 that was operationally critical, a SolarWinds Serv-U DoS at 7.5 against a product with a documented history of nation-state and ransomware targeting, and a Check Point zero-day where CISA’s own three-day remediation deadline told a completely different story than the score. So, the policy direction here is right. Where we get skeptical is the execution. Risk-based prioritization is significantly harder than “patch everything as fast as you can.” It requires understanding what assets you have, what functions they support, how they’re exposed, and what the real-world consequences of compromise look like. Who is going to ensure that each entity is actually performing effective risk-based assessments and not just checking a compliance box?
“That question gets harder to answer when you look at the resource picture. CISA has faced roughly half a billion dollars in proposed budget cuts and lost about a third of its workforce. Andersen is describing an approach where CISA engages directly with critical infrastructure entities to identify specific critical functions and the assets that support them. That kind of hands-on, entity-by-entity engagement requires more analytical capacity, not less. The 329 new hires are a good step forward and show the agency is serious about rebuilding operational capability, but risk-based prioritization at the scale of the federal government and critical infrastructure sectors is an enormous undertaking even for a fully staffed agency.
“The other thing we’d like to see this framework to address is chainability. CVSS scores vulnerabilities in isolation and doesn’t model scenarios where an attacker combines a medium-severity information disclosure with a medium-severity privilege escalation and ends up with critical impact. Neither bug scores as urgent on its own, but together they give you full system compromise. If the goal is to prioritize based on real-world risk, the methodology has to account for how vulnerabilities interact in actual attack chains, not just how they score individually.
“Organizations shouldn’t wait for this directive to be fully operationalized. Start building your own prioritization stack now: KEV status, EPSS exploitation probability, and your own environmental context. That combination has been more reliable than CVSS alone for a while now.”
Ryan McCurdy, VP of Marketing, Liquibase:
“CISA’s shift is the right move because severity scores alone do not tell defenders what actually puts the business at risk. A vulnerability on a low-impact system is very different from one affecting a production database, deployment pipeline, or system tied to customer data and critical operations.
“The next step is connecting vulnerability prioritization to proof of control. Security teams need to know not only which issues are being exploited, but where they sit, what they can impact, who remediated them, and whether the fix moved through a controlled change process. Otherwise, teams can patch one risk while introducing another through rushed, manual, or poorly governed changes.”
Doc McConnell, Head of Policy and Compliance, Finite State:
“The pace of vulnerability identification is accelerating thanks to AI, and the volume is outpacing response even for well-resourced teams. It makes sense that the federal government is moving from blanket timelines to more individualized, risk-based prioritization.
“But this approach demands more sophistication from cyber defenders. In order to make an effective risk-based assessment, they need to understand what they’re protecting. For example, device manufacturers need a deep understanding of their own firmware, including third-party components, to know whether a new vulnerability is present and exploitable in their product.
“Organizations need to ask themselves: do they have the context they need to make informed prioritization decisions about new vulnerabilities? If not, building that context has to be priority number one.”
Damon Small, Board of Directors, Xcape, Inc.:
“The Cybersecurity and Infrastructure Security Agency (CISA) is shifting the federal vulnerability baseline from predictable, severity-based scoring to a risk-centric paradigm. While moving beyond Common Vulnerability Scoring System (CVSS) numbers helps manage patch fatigue, calculating real-world operational risk requires localized context that most organizations struggle to automate. This subjective approach demands greater effort from analysts to extract local context, but it shifts the metric from superficial scorekeeping to actionable, risk-aligned defense.
“Security teams must integrate localized threat intelligence with strict asset discovery to ensure asset criticality tags match actual business functions. Chief Information Security Officers (CISOs) should audit their pipelines immediately to ingest CISA’s expanded Vulnrichment telemetry, prioritizing active exploitation data over static metrics to justify mitigation exceptions to auditors and business units.
“Critical Takeaways
- “Context Over Score: Severity scores are officially deprecated as standalone metrics, forcing security leaders to justify patching decisions based on active exploitation and asset criticality.
- “Telemetry Upgrade Required: Security teams must immediately update vulnerability management pipelines to ingest and process CISA’s expanded context data, rather than relying on traditional automated scanner outputs.
- “Audit Local Asset Context: CISOs need to establish strict, defensible asset discovery and business-criticality tagging, as automated risk prioritizations are useless without precise local context.
“It turns out that counting to ten over and over was a terrible way to run a security program, even if it did look nice on an executive dashboard.”
Sunil Gottumukkala, CEO, Averlon:
“Glad to see CISA’s acting director focusing on real-world risk, this shift is overdue. Knowing a vulnerability is exploited in the wild, which the KEV catalog already delivers, answers only half the question. The other half is whether it matters in your environment. Do the specific conditions the exploit depends on, a particular configuration, an exposed or reachable service, actually exist in your fleet.
“This directive pushes agencies to answer that second half. Doing it well requires two things: knowing what assets you have and how they are deployed and configured, and understanding how a given CVE is being exploited to assess its real impact on your environment.”
My advice is to take risk and operational impact and make those operational now. Then tweak things based on what is finalized. That way there is forward movement in term of making environments safer for all.
Related
This entry was posted on June 10, 2026 at 4:34 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA to shift vulnerability program toward risk-based prioritization
The CISA’s Acting Director Nick Andersen announced Tuesday plans to overhaul how the agency evaluates and prioritizes software vulnerabilities, moving beyond severity scores alone to focus more heavily on real-world risk and operational impact. The agency said the changes are intended to help organizations better prioritize remediation efforts as the volume of disclosed vulnerabilities continues to grow.
Under the new approach, CISA plans to place greater emphasis on factors such as active exploitation, asset criticality, attack complexity, and the potential consequences of a successful attack. Agency officials said the goal is to help defenders focus resources on vulnerabilities that pose the greatest operational risk rather than relying solely on CVSS scores or the total number of disclosed flaws.
The initiative follows broader efforts by CISA to improve vulnerability management programs, including opening nominations for its KEV Catalog and expanding collaboration with security researchers and vendors. Officials said the updated framework is intended to provide organizations with more actionable guidance for addressing the vulnerabilities most likely to affect critical systems and infrastructure.
Denis Calderone, CTO, Suzu Labs:
“A risk-based approach to vulnerability management makes a lot of sense to us, and how we approach vulnerability management with our own clients. CVSS alone has never been a reliable way to decide which vulnerabilities to prioritize. Just in the last two weeks we’ve seen a Palo Alto GlobalProtect vulnerability rated 7.8 that was operationally critical, a SolarWinds Serv-U DoS at 7.5 against a product with a documented history of nation-state and ransomware targeting, and a Check Point zero-day where CISA’s own three-day remediation deadline told a completely different story than the score. So, the policy direction here is right. Where we get skeptical is the execution. Risk-based prioritization is significantly harder than “patch everything as fast as you can.” It requires understanding what assets you have, what functions they support, how they’re exposed, and what the real-world consequences of compromise look like. Who is going to ensure that each entity is actually performing effective risk-based assessments and not just checking a compliance box?
“That question gets harder to answer when you look at the resource picture. CISA has faced roughly half a billion dollars in proposed budget cuts and lost about a third of its workforce. Andersen is describing an approach where CISA engages directly with critical infrastructure entities to identify specific critical functions and the assets that support them. That kind of hands-on, entity-by-entity engagement requires more analytical capacity, not less. The 329 new hires are a good step forward and show the agency is serious about rebuilding operational capability, but risk-based prioritization at the scale of the federal government and critical infrastructure sectors is an enormous undertaking even for a fully staffed agency.
“The other thing we’d like to see this framework to address is chainability. CVSS scores vulnerabilities in isolation and doesn’t model scenarios where an attacker combines a medium-severity information disclosure with a medium-severity privilege escalation and ends up with critical impact. Neither bug scores as urgent on its own, but together they give you full system compromise. If the goal is to prioritize based on real-world risk, the methodology has to account for how vulnerabilities interact in actual attack chains, not just how they score individually.
“Organizations shouldn’t wait for this directive to be fully operationalized. Start building your own prioritization stack now: KEV status, EPSS exploitation probability, and your own environmental context. That combination has been more reliable than CVSS alone for a while now.”
Ryan McCurdy, VP of Marketing, Liquibase:
“CISA’s shift is the right move because severity scores alone do not tell defenders what actually puts the business at risk. A vulnerability on a low-impact system is very different from one affecting a production database, deployment pipeline, or system tied to customer data and critical operations.
“The next step is connecting vulnerability prioritization to proof of control. Security teams need to know not only which issues are being exploited, but where they sit, what they can impact, who remediated them, and whether the fix moved through a controlled change process. Otherwise, teams can patch one risk while introducing another through rushed, manual, or poorly governed changes.”
Doc McConnell, Head of Policy and Compliance, Finite State:
“The pace of vulnerability identification is accelerating thanks to AI, and the volume is outpacing response even for well-resourced teams. It makes sense that the federal government is moving from blanket timelines to more individualized, risk-based prioritization.
“But this approach demands more sophistication from cyber defenders. In order to make an effective risk-based assessment, they need to understand what they’re protecting. For example, device manufacturers need a deep understanding of their own firmware, including third-party components, to know whether a new vulnerability is present and exploitable in their product.
“Organizations need to ask themselves: do they have the context they need to make informed prioritization decisions about new vulnerabilities? If not, building that context has to be priority number one.”
Damon Small, Board of Directors, Xcape, Inc.:
“The Cybersecurity and Infrastructure Security Agency (CISA) is shifting the federal vulnerability baseline from predictable, severity-based scoring to a risk-centric paradigm. While moving beyond Common Vulnerability Scoring System (CVSS) numbers helps manage patch fatigue, calculating real-world operational risk requires localized context that most organizations struggle to automate. This subjective approach demands greater effort from analysts to extract local context, but it shifts the metric from superficial scorekeeping to actionable, risk-aligned defense.
“Security teams must integrate localized threat intelligence with strict asset discovery to ensure asset criticality tags match actual business functions. Chief Information Security Officers (CISOs) should audit their pipelines immediately to ingest CISA’s expanded Vulnrichment telemetry, prioritizing active exploitation data over static metrics to justify mitigation exceptions to auditors and business units.
“Critical Takeaways
“It turns out that counting to ten over and over was a terrible way to run a security program, even if it did look nice on an executive dashboard.”
Sunil Gottumukkala, CEO, Averlon:
“Glad to see CISA’s acting director focusing on real-world risk, this shift is overdue. Knowing a vulnerability is exploited in the wild, which the KEV catalog already delivers, answers only half the question. The other half is whether it matters in your environment. Do the specific conditions the exploit depends on, a particular configuration, an exposed or reachable service, actually exist in your fleet.
“This directive pushes agencies to answer that second half. Doing it well requires two things: knowing what assets you have and how they are deployed and configured, and understanding how a given CVE is being exploited to assess its real impact on your environment.”
My advice is to take risk and operational impact and make those operational now. Then tweak things based on what is finalized. That way there is forward movement in term of making environments safer for all.
Share this:
Like this:
Related
This entry was posted on June 10, 2026 at 4:34 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.