Andersen pushes consequence-driven CISA risk model for infrastructure

CISA Acting Director Nick Andersen is putting a sharper edge on the agency’s critical infrastructure line: rank the assets by consequence, spend against the worst failures, and measure whether essential services can keep operating under attack. Inside Cybersecurity reports that Andersen made the case in a June 10 Cyber Defense Review essay, tying the approach to President Trump’s March 2025 resilience executive order and its planned National Risk Register.

That is a meaningful shift in emphasis, if CISA can turn it into decisions. Andersen says the federal government and CISA should prioritize infrastructure whose disruption would imperil national security, public safety, military readiness and economic continuity. He also frames CISA’s role as translating the executive order and the register into operational choices, starting with “what matters most,” rather than treating a sector label or program label as the answer.

The practical pieces are starting to line up. The same reporting notes CISA’s June 10 risk-management approach for civilian agency vulnerability patching, aimed at fixing some exploits faster because they matter more. It also points to CI Fortify, CISA’s resilience initiative focused on continuing operations during a cyberattack. CISA has requested $5 million in fiscal 2027 for the National Risk Register, and House appropriators included that amount in a Department of Homeland Security spending bill advanced June 10.

The register should be judged by what it changes. If it helps agencies and operators identify the assets, service providers, regional dependencies and supply-chain concentrations whose failure would cascade into national consequences, it becomes a planning tool. If it shows up only as a report with relative risk graphics, it will be a nicer map of decisions still being made somewhere else.