The Cybersecurity and Infrastructure Security Agency (CISA) is shifting its cybersecurity strategy toward a risk-based approach as it manages new artificial intelligence mandates and a depleted workforce. Acting Director Nick Andersen announced the pivot on June 9, 2026, signaling that federal agencies must prioritize vulnerabilities based on their specific threat to national security rather than attempting to patch every software flaw equally. This shift directly impacts how public sector departments allocate limited resources to protect critical infrastructure.
Rethinking vulnerability management
A forthcoming Binding Operational Directive will require federal agencies to abandon the traditional patch-as-quickly-as-possible mindset, establishing a new baseline for AI for Government security. CISA will now require agencies to evaluate the specific risks associated with software vulnerabilities.
"If we try to say that everything is equally as important, then absolutely nothing's going to be important," Andersen said. He emphasized that the agency must prioritize functions that underpin the economy and national security. For example, ensuring a major bank's bulk payment system remains resilient is far more critical than protecting a single local branch.
Rebuilding the workforce amid budget cuts
This strategic pivot comes as CISA attempts to rebuild its ranks following steep workforce reductions. Although the agency denied rumors of layoffs within its red team of vulnerability testers, clarifying it only terminated specific contracts to eliminate duplication, former officials reported personnel cuts affecting over 100 employees.
CISA expects to extend nearly 200 job offers this month as part of an initial plan to hire 329 mission-critical staff. Homeland Security Secretary Markwayne Mullin indicated the agency may eventually need to add roughly 600 new employees to meet its growing mission. However, the Office of Management and Budget has proposed a $707 million funding reduction for CISA under the 2027 government budget, bringing its total allocation to approximately $2.02 billion. The OMB stated these cuts are designed to eliminate programs that combat misinformation and propaganda.
Why this matters for management
Managers overseeing technology and security operations must adjust their resource allocation models to adapt to this new federal reality. When budgets shrink and mandates grow, prioritizing high-impact systems over low-risk endpoints becomes a survival tactic rather than a theoretical exercise. Leaders should audit their own patch management workflows to ensure they fit this risk-based framework before directives take full effect.
Your membership also unlocks:
