The Cybersecurity and Infrastructure Agency wants to fundamentally reevaluate how it prioritizes risks and vulnerabilities, both for privately-owned critical infrastructure and within the federal government, acting director Nick Andersen said Tuesday.

The plans include a binding operational directive for federal agencies set to be published Wednesday and getting more specific with critical infrastructure owners and operators about which assets they need to protect most and how, Andersen said while speaking at an event hosted by Axonius in Washington, D.C. and talking with reporters afterwards.

The binding operational directive looks to revise how federal agencies do vulnerability management, he said. “Overall, our approach to date has been ‘A patch is released, apply this patch as quickly as you can,’” he said.

“We’re really asking people to take more of a focus on risk associated with each vulnerability. Is it with an asset that is internet-exposed? Does it align to a KEV entry?” he said, referring to CISA’s list of known exploited vulnerabilities. “Is it automatable in its exploitation? Really, we need to be able to highlight that some patches just aren’t as important as others, and plugging the holes for some vulnerabilities is simply not as important as others.”

Andersen said he has made setting the right priorities the focus of his tenure.

“We have to be okay with saying there are some systems that are less important than others, there are some elements of critical infrastructure that are less important than others,” he said. “Those things are very easy for us to rationalize [for] physical crises, but we need to start wrapping our minds around how we’re going to do that during cyber crises.”

Andersen said artificial intelligence-enhanced threats have fueled the directive in part, based on “a recognition that we’re a different dynamic environment with the shorter timeline to weaponization and exploitation,” but the discussions on the directive have been going on for months, before the splashy announcements about frontier AI models and the risks they might deepen. Wednesday’s directive is unrelated to the AI-focused executive order released by the Trump administration last week.

The idea of prioritizing certain potential hacking targets over others isn’t a new one in critical infrastructure, with concepts like “Section 9” designations under a 2013 executive order for entities whom an attack upon could have catastrophic effects; “systemically important critical infrastructure” designations, as recommended by the Cyberspace Solarium Commission; or the creation of the National Risk Management Center established during President Donald Trump’s first term but now the subject of proposed budget cuts.

Andersen said past concepts haven’t worked well, citing Section 9 designations as an example.

“We would sit here and say, ‘Congratulations, you’re with this company, and you’re a Section 9 entity, isn’t that fantastic?’” he said. “That’s really not the level of fidelity that we have to be able to get to to have a real measurable conversation about risk. I need to be able to go to a company and say, ‘Here’s the specific function you’re supporting that makes you more critical. Let’s have a conversation about the specific assets that support that function, and how do we get to a measurable level of resilience for those assets?’”

Those discussions need to get down to a “fine grain,” Andersen said.

“If I’ve got a major bank that I’m talking to, is it as important to me that the bank’s process that supports the bulk payment system is resilient, or is it just as important to me that the branch location two blocks away is continuing to operate?” he said. “Those things just are apples and oranges, even though it’s the same entity that might be affected.”

CISA’s capabilities under the Trump administration have drawn considerable scrutiny, given deep budget cuts at the agency, with more planned. The administration is now making moves to hire back personnel.

Andersen said the agency is working to hire 329 people, and will have job offers out to 182 of them by the end of June. He said the emphasis of the first tranche of hires under the hiring sprint is operational capabilities, meaning areas like emergency communications, infrastructure security and regional personnel.

The agency also has had some of its work hampered by the government shutdowns, such as the delay in plans for town-hall meetings about implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require key owners and operators to report major incidents within 72 hours.

Andersen said he couldn’t set a date for finalization of regulations related to the law — which had already been delayed prior to any funding lapses — with those town halls now scheduled to begin next week.

“We could have a lot of comments that come to us and really radically change our way of thinking about what the need is here,” he said. “But our focus is just on what’s the original congressional intent behind CIRCIA. what is the greatest need that we’re going to be able to serve, and how it’s going to be able to further the mission that we have for the nation.”

The post CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector appeared first on CyberScoop.

Like many organizations, the National Geospatial Intelligence Agency is moving to integrate AI tools into their business operations.

Jay Harless, director of human development at NGA, said the agency is trying to strike a balance: move fast enough to keep pace in what U.S. national security officials increasingly view as an AI arms race with adversarial countries like Russia, China, but not so fast that it disrupts proven intelligence-gathering methods.

“One of our primary drivers is that our adversaries were investing heavily, and so there is the pressure to keep ahead of and do that safely,” Harless said Tuesday at the Workday Federal Forum, presented by Scoop News Group. “We also realize that some of our adversaries may not have the same legal and ethical boundaries that us and our partners all need.”

Harless said the agency and others in the intelligence community are working to build systems with agentic AI that operates that can accelerate decision making “within secure boundaries.” That means building new IT infrastructure, validation protocols, monitoring for bias or rogue behavior, and putting accountability mechanisms in place.

“We’re moving fast, and moving fast safely by distinguishing what should be automated, what should be augmented and what should be kept purely human, because there are some things that will always be [human-operated],” he said.

A key piece is figuring out exactly how AI should fit into the work. Sasha Muth, NGA’s deputy director of human development, said the agency envisions a three-to-five-year effort to transform its workforce and IT infrastructure for the AI age. This year will be spent largely putting “structural things in place” for when and how analysts use AI, and reassessing what qualifications the agency should require for entry-level jobs.

But that effort is also causing tensions within the workforce, and Muth acknowledged that part of the challenge is convincing rank-and-file employees that the technology is going to help them – not replace them. The agency hired its first Chief AI Officer in 2024, and its upcoming three-year strategic plan will focus on change management, professional development and updating employees’ job skills. 

Muth said they are focused on evolving their human capital needs because one of her biggest fears is that over that five-year transition “we‘re going to lose a lot of our expertise” by automating functions and not doing enough to modernize job requirements.

“We do see it as a big transformation, not only for just utilizing the technology, but moving our workforce along with us, having them excited about the changes and not fearful, because there’s a lot of fear…that their job is going away, that they won’t have a job,” she said.

The post Spy agency officials say job loss anxiety, moving fast ‘safely’ among top challenges in AI workforce overhaul appeared first on CyberScoop.

With the country’s cybersecurity workforce still experiencing major shortages, a bipartisan, bicameral group of lawmakers is pushing to enlist the Department of Labor to help tackle the problem.

The Cyber Ready Workforce Act would direct the DOL to establish a grant program that supports the “creation, implementation, and expansion of registered apprenticeship programs in cybersecurity,” per a press release announcing the bill’s introduction this week.

“As cyberattacks become more common and complex, we need to ensure we have the workers with the training and skills necessary to protect our cyber infrastructure and Americans’ personal data,” Sen. Jacky Rosen, D-Nev., one of the bill’s co-sponsors, said in a statement. “This bipartisan legislation will help fill gaps in our cybersecurity workforce and will open the door to more good-paying, cutting edge jobs for Nevadans, regardless of whether or not they have a college degree.”

Another co-sponsor, Sen. Marsha Blackburn, said in a statement that the legislation would provide “targeted support” for businesses, colleges and nonprofits that need more cyber protections. The country’s “severe talent shortage” in cyber “poses a serious threat to our national security and economic growth,” the Tennessee Republican said.

The introduction of the legislation Tuesday isn’t Rosen and Blackburn’s first bite at the apple, but previous efforts stalled out in the Senate. This time around, the senators added a pair of House co-sponsors — Reps. Susie Lee, D-Nev., and Brian Fitzpatrick, R-Pa. — to the pitch. It also comes at a time when the Trump administration has directed the DOL to do more with apprenticeships and technology.

Lee said in a statement that in Nevada alone, there’s a shortage of 4,000 cybersecurity professionals. Some estimates put the nationwide cyber workforce deficit at nearly half a million jobs.

“Whether you know it or not, cybersecurity … impacts all of us, from our small businesses, to utility grids, to our national security. But we don’t have enough talent to fill these jobs.” Lee said. “This bill will help ensure that we don’t fall behind when it comes to cybersecurity, while putting Nevada at the forefront of the high-demand, high-impact, and high-paying jobs of the future.”

According to a fact sheet posted to Lee’s congressional website, the bill calls on the Labor Department to award grants to “workforce intermediaries” that will grow the number of registered cybersecurity apprenticeship programs. 

Grant funding should be used for developing curricula and providing technical instruction. It could also go toward marketing and recruitment programs, support services such as career counseling and mentorship, and assistance for things like transportation, housing and childcare costs.

The legislation also encourages grant recipients to connect and collaborate with workforce intermediaries in business, nonprofit and academic settings. Coordinating on resources in cyber apprenticeship programs should ensure federal investments aren’t going toward duplicative efforts, per the fact sheet. 

“The continued shortage of cybersecurity professionals has exposed our nation to severe vulnerabilities, threatening our economy and national security,” Fitzpatrick said in a statement. “Now, more than ever, a strong cybersecurity workforce is necessary to protect our interests at home and abroad.”

Addressing the cybersecurity workforce shortage has been a priority for many lawmakers over the past several years, with legislation seeking to establish cyber grants at two-year colleges and minority-serving institutions, create new federal cyber training programs, give money to CISA for minority recruitment efforts and more.

The post Lawmakers renew push for Labor Department-backed cyber apprenticeship grants appeared first on CyberScoop.