At the start of the year, CISA launched our #Protect2024 campaign—a suite of security products, services, and trainings for the election security community to help them more easily and effectively prioritize security and resilience efforts while simultaneously administering elections. As part of this, CISA launched the #Protect2024 webpage that served as the central hub for CISA’s election security guidance products and public releases. Since its launch, the #Protect2024 site has amassed over 235,000 views and served as the release site for 17 new security guidance products. The website also housed the release of 6 joint public statements by CISA, FBI and the Office of the Director of National Intelligence on foreign government activity targeting our election infrastructure. 

Another major component of this mission was to ensure the American public understood the incredible work being done by the election infrastructure community. It is because of their efforts and those of public and private security partners that going into the 2024 election cycle our election infrastructure was more secure, and the election community better prepared, than ever before.  These messages were emphasized at numerous public engagements, to include a range of national level media appearances, by the Director Easterly and the CISA team reaching an audience of over 65 million viewers. 

In order to help stakeholders manage and reduce risk as they prepared to administer elections in 2024’s complex threat environment, CISA recognized the importance of doing more to meet our election stakeholders where they are, addressing their unique needs and requirements. That’s why CISA invested additional resources into our field staff, to include hiring 10 regional election security advisors—former election officials who collectively brought over 200 years of election security and administration experience to CISA. We also cross-trained CISA security experts to increase our field capacity enabling CISA to conduct more physical security assessments across the country. As a result, CISA provided more services to more stakeholders in more jurisdictions than ever before. Since January 2023, CISA conducted over 700 cyber assessments and nearly 1300 physical security assessments for election stakeholders across the country. Additionally, CISA provides almost 1,000 election infrastructure stakeholders with weekly cyber vulnerability scanning reports. 

Resilience is rooted in preparation, especially when you are preparing to manage a range of potential threats from cyber to physical to operational risk. That’s why CISA made training availability to election stakeholders a top priority. Overall, since January 2023, CISA has provided 200 tabletop exercises and over 500 election security related trainings, in total reaching more than 30,000 participants.

One very important part of this effort is CISA’s annual Tabletop the Vote Exercise which is conducted in coordination with the National Association of Secretaries of State and the National Association of State Election Directors. This year marked the seventh annual tabletop exercise and brought together members of the election infrastructure community to walk through hypothetical incidents and corresponding response and recovery efforts. This year’s exercise included more than 1,250 participants from dozens of states and territories and a wide range of federal government partners.

Through the Joint Cyber Defense Collaborative (JCDC), CISA coordinates with operational cybersecurity partners in industry to develop technical information and materials with practical guidance that helps industry prepare for, mitigate, and respond to cyber incidents.  In FY24, JCDC released almost 1,300 cyber defense alerts, advisories, and products, including 58 joint-sealed cybersecurity advisories and co-sealed products. These included the first products that CISA had co-sealed with the Czech Republic, Poland, Ukraine, Estonia, Poland, Finland, and Sweden.

CISA’s Pre-Ransomware Notification Initiative (PRNI) is another way we have worked to measurably reduce risk outcomes for critical infrastructure in the United States and allied nations in FY24. These notifications warn entities of early-stage ransomware activity so they can prevent encryption and evict ransomware gangs from their networks. CISA has conducted 3,368 Pre-Ransomware Notifications since the inception of the initiative 2 years ago, with 2,131 conducted this year as of November 2024. These notifications include those sent to hundreds of K-12 school districts; state, local, tribal and territorial government entities; healthcare organizations and hospitals; and other critical infrastructure.

Additionally:

• We also used our Administrative Subpoena authorities, granted by Congress in the 2021 NDAA, to identify and drive mitigation of over 1,200 vulnerable devices used to control critical infrastructure like power plants and water utilities. 
• Our Protective Domain Name System (DNS) service blocked 1.26 billion malicious connections targeting federal agencies in FY24, disrupting a significant number of attempted attacks. Many intrusions are enabled by known exploited vulnerabilities. After compromising a victim, malicious cyber actors will generally attempt to contact a known server to steal information from the victim or receive further instructions. 
• Malicious actors are continuously seeking to compromise federal websites and applications. Through our Vulnerability Disclosure Platform, legitimate security researchers enabled agency remediation of over 861 vulnerabilities this year, before they could be exploited by malicious actors and bringing the total to over 3,247 vulnerabilities since 2021. 
• In FY24, CISA coordinated 845 CVD cases and produced 427 vulnerability advisories. Coordinated Vulnerability Disclosure (CVD) is the process of coordinating mitigation or remediation and public disclosure of newly identified cybersecurity vulnerabilities in products and services with the affected vendors. 

As part of our ongoing effort to improve cyber incident reporting, CISA moved our cyber incident reporting form to the agency’s new and enhanced secure CISA Services Portal, which provides increased functionality, including integration with login.gov credentials. 

To help guide people reporting cyber incidents through the process, CISA also released a voluntary cyber incident reporting resource. This web page helps visitors understand who should report an incident, why and when they should report, as well as what to report and how. The page also includes information and tools to help reduce cyber risk.

This year, CISA hit a major milestone and made a positive step toward improved cybersecurity for the nation as part of its efforts to implement its requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022.  On April 4, 2024, CISA published the CIRCIA Notice of Proposed Rulemaking (NPRM), which contains CISA’s proposed regulations for implementing the CIRCIA regulatory program.  In response to the NPRM, business and industry; state, local, tribal and territorial entities; individuals; non-profits; law firms; information sharing and analysis centers (ISACs); and members of Congress contributed hundreds of comments and recommendations. CISA is considering this feedback as we develop the CIRCIA Final Rule. Implementing CIRCIA will enhance the cybersecurity of critical infrastructure in the United States and enable CISA to develop insights on the cyber threat landscape to drive cyber risk reduction across the nation and to provide early warning to other entities that may be at risk.

The People's Republic of China remains the most active and persistent cyber threat to U.S. Government, private sector, and critical infrastructure networks, according to the Office of the Director of National Intelligence. Over the past year, CISA has focused on detecting, preventing and mitigating PRC threats; advancing scalable vulnerability reduction for government and critical infrastructure; and increasing awareness, preparedness, and resilience focused on PRC threats and tactics. At the start of the year, CISA mounted a public awareness campaign designed to increase broader understanding of this critical threat, which Director Easterly emphasized in joint testimony with the Directors of the FBI, NSA, and ONCD during a congressional hearing on Chinese government state-sponsored cybersecurity threats. Throughout the year, CISA issued detailed information on PRC threats, such as a joint CSA on the PRC state-sponsored cyber group known as Volt Typhoon, which compromised the IT environments of several critical infrastructure sectors including Communications, Energy, Transportation and Water and Wastewater. We also held a CISA Live event on PRC threats, and CISA subject matter experts participated in numerous speaking engagements to discuss the need for industry partnership to identify PRC threats, review lessons learned, and relay steps that organizations can take to increase their cyber resiliency. 

CISA has also continued its strong industry engagement to mitigate PRC threats, coordinating with Sector Risk Management Agencies and subject matter experts for transportation, water, energy, and communications sectors to reduce risk to those sectors. More information about the cyber threats posed by the PRC is available at People's Republic of China Cyber Threat.

CISA develops and shares cyber advisories and alerts to help critical infrastructure understand the risks from other nation-state actors and offers steps to mitigate current risks. 

• Russia engages in malicious cyber activities to enable widespread cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries. 
• North Korea leverages cyberattacks to gather intelligence, disrupt systems, and generate revenue. 
• Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied and partner networks and data. 

For information on Nation State Cybersecurity Threats and related information from CISA, visit Nation-State Cyber Actors.

One example of how we are working to help government and industry partners prepare for major cyber incidents—including from nation-state sponsored activity—is through our Cyber Storm exercise series.  This initiative provides the framework for the most extensive government-sponsored cybersecurity exercise of its kind, bringing together the public and private sectors to simulate discovery of and response to a significant cyber incident impacting the Nation’s critical infrastructure.

Over three days of live drills in April 2024, CISA’s Cyber Storm IX provided the nation’s critical infrastructure an opportunity to test and improve U.S. resilience, response, and recovery to significant cyber incidents. This year’s scenario drew from the type of cybersecurity threats posed by nation-states and included cloud-based vulnerabilities impacting critical infrastructure, with a focus on food and agriculture. The exercise drew over 2,200 participants from 35 federal agencies, 13 states, over 100 private companies representing 12 critical infrastructure sectors, and eleven partner nations.

CISA has coordinated or contributed to 45+ capacity development engagements with more than 15 partner nations and over 150 international participants using over $400k in interagency funds. CISA has also led or been a part of 400+ activities that have strengthened or established relationships with international partners. For example, we have renewed or entered into five international arrangements; developed or updated two joint workplans or arrangements; supported 10 CISA co-sealed prodcuts; and provided approximately 55 monthly products or services to CISA and the interagency. Each of these efforts establish frameworks for deeper relationships with foreign partners.

CISA also maintains an Attaché to the United Kingdom, who has participated in hundreds of engagements and events spanning 16 critical infrastructure sectors, resulting in improved cohesion with one of our most important partners.

On October 29, we released our first International Strategic Plan to improve coordination with our partners, advance international relationships to strengthen the security and resilience of our critical infrastructure, and focus and guide the agency’s international initiatives through FY 2026.

CISA’s work in Artificial Intelligence (AI) extends globally and includes coordinating with international partners to advance global AI security best practices and principles. We engage with our global partners on AI through forums such as the U.S.-EU Trade and Technology Council and G7. We have worked with our international partners to develop a set of AI security resources for different audiences at every stage of the AI life cycle including the ACSC-led Guidance on How to Use AI Systems Securely and the Joint Guidance on Deploying AI Systems Securely, which provides best practices for deploying and operating externally developed AI systems. We continue to explore partnerships with international partners, especially Australia, Canada, New Zealand, and the U.K., for red teaming guidelines, best practices, and collaboration models for joint AI red teaming exercises.

In 2024, the United States served as chair of the Critical Five (C5). Established as an international forum in 2012, the C5 is comprised of members from government agencies responsible for critical infrastructure protection and resilience in Australia, Canada, New Zealand, the United Kingdom, and the United States.

In collaboration with the U.S. Department of Homeland Security, U.S. Coast Guard, and multiple interagency stakeholders, CISA conducted a series of exercises with government and private sector partners in Indonesia, Japan, and the Philippines. These exercises simulated significant cyber incidents at major international shipping ports to test the preparedness of partner nations and their response policies and procedures to mitigate impacts on regional and international supply chains.

CISA publishes customer-focused products to help organizations understand and address their current risk as well as to look further out and start planning for mid-range risks that may emerge in the next three to 30 years. 

To help make CISA’s Infrastructure Resiliency Planning Framework (IRPF) easier for communities and other stakeholders to use as they plan for risks that are unique to their area, we published an IRPF Playbook that provides step-by-step guidance for users to help them accomplish key actions within each of the five planning steps discussed in the main IRPF.  Additionally, CISA released additional topics as part of its Secure Tomorrow Series Toolkit, which now addresses nine topics ranging from trust and social cohesion to advanced manufacturing to water availability. The Secure Tomorrow Series toolkits allow users to self-facilitate and conduct strategic foresight activities so they can derive actionable insights about the future, identify emerging risks, and develop risk management strategies that, if implemented today, could enhance long-term critical infrastructure security and resilience.

In 2024, CISA improved our ability to produce critical infrastructure risk analysis by improving capabilities within its Suite of Tools for the Analysis of Risk (STAR). STAR is used by risk analysts in CISA to produce more accurate and timely risk assessments, directly improving the nation’s ability to prepare for and respond to threats to critical infrastructure. It provides a more impactful understanding of the cascading impacts of risks and supports the development of data-driven risk mitigation strategies.

Since it was established in December 2018, the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force has played an invaluable role in identifying challenges and developing actionable solutions to enhance global ICT supply chain resilience. The ICT SCRM Task Force helps increase the security and resilience of our ICT supply chains by providing a trusted forum that encourages collaboration and knowledge sharing among Task Force members from the U.S. Government and Communications and IT Sectors, as well as from the broader stakeholder community, 

In 2024, the ICT SCRM Task Force: 

• Renewed the ICT SCRM Task Force Charter for two more years, an essential step toward continued collaboration and strengthening public-private partnerships. With the extension, the Task Force can continue to leverage its unique partnership to work with public and private sector organizations to identify potential workstreams and increase the utilization of Task Force products, tools, and resources among stakeholders to better manage risks facing the ICT supply chain. 
• Hosted the inaugural ICT SCRM Task Force Conference: Innovations in ICT Supply Chain Risk Management on June 12. With over 160 attendees, the conference provided a forum for Task Force members, subject matter experts, and conference participants to come together and showcase Task Force products, tools, and templates that can reduce risk.  Participants also joined important discussions related to ICT supply chain threats and emerging technologies that could form the basis for future Task Force workstreams. 
• Published the Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle (Software Acquisition Guide). The Task Force developed the Software Acquisition Guide in response to the core challenges around software assurance and cybersecurity transparency in the acquisition process, focusing primarily on software lifecycle activities. The Software Acquisition Guide provides guidance for addressing software product security principles within the software lifecycle to support software assurance during software design, development, deployment, and operational use. The Guide can be used as a basis to describe, assess, and measure suppliers’ security practices relative to the software life cycle without requiring that acquisition team members become cybersecurity experts.   

The Product Marketing Working Group raises awareness of Task Force products by facilitating stakeholder events; creating resources in the form of factsheets, videos, webinars, newsletters; marketing products and resources to maximize access; and collecting feedback through product surveys to refine and enhance Task Force products.

While critical infrastructure is core to CISA’s mission, driving down risk and building resilience is a whole of nation effort. In addition to working with the 16 critical infrastructure sectors, we worked to grow our relationships with state, local, tribal and territorial, as well as private sector and non-profit stakeholders. Through hundreds of engagements around the country, we connected stakeholders with CISA resources; educated the public, small business and organizations on Secure Our World resources to improve basic cybersecurity, and gathered feedback on how the CISA could be helpful.  For example:

• CISA worked with the National Governors Association and Council of Governors to update the Cyber Joint Action Plan that reinforces federal and state collaboration on cyber defense. 
• CISA grew its relationship with the emergency management community, and for the first time, leadership presented at the Big City Emergency Managers, the International Association of Emergency Managers, and the National Emergency Management Association conferences. 
• CISA has engaged with several disability organizations seeking feedback on our products to make them more accessible for the disability community.
• Through our new relationship with the Boys & Girls Clubs of America, we are working with them on products Clubs can use to improve cybersecurity for Clubs and members.

Space systems, and the services they provide, are vital to the nation’s critical infrastructure, and by extension, our national and economic security. Space systems and space-based services face threats and vulnerabilities that could potentially impact critical infrastructure, DHS front line workers, operational missions, and individual citizens. CISA works with the Sector Risk Management Agencies (SRMAs) and critical infrastructure partners to prioritize assessing their reliance on space systems and assets, and the potential cascading impacts on and across sectors if disruptions were to occur.

To mitigate risks, the CISA collaborates with government and industry partners to enhance the security and resilience of space systems and services. In particular:

• Assessing risks to space systems and space-based services to identify vulnerabilities and mitigations 
• Delivering risk identification and mitigation training to interagency and private sector stakeholders 
• Coordinating with SRMAs and private sector partners to address risks to space systems and space-based services in Sector Risk Assessments (SRA) Cross-sector Risk Assessments (CSRA) in alignment with National Security Memorandum 22 (NSM-22)
• Facilitating partnerships and working groups
• Leading exercises to address gaps and identify sector-specific mitigations 
• Publishing resources that outline actionable guidance and mitigations informed by subject-matter experts

NRMC fulfills key leadership roles and serves as a coordinator for the Federal, State, Local, Tribal, and Territorial (SLTT) governments and private sector partners responsible for identifying and mitigating space-based risk to critical infrastructure. In particular: 

• Space Systems Critical Infrastructure Working Group (SSCIWG): This CISA-led working group fosters collaboration among federal agencies, state and local governments, industry partners, and other critical infrastructure sectors to enhance space system security and resilience. The Working Group operates under the Critical Infrastructure Partnership Advisory Council (CIPAC) framework and serves as the primary mechanism for DHS to collaborate and coordinate on strategies and policies to enhance space system security and resiliency.
• Positioning, Navigation, and Timing (PNT) Executive Committee (EXCOM):  CISA co-chairs the PNT EXCOM, emphasizing the importance of cybersecurity and infrastructure protection to ensure the resilience of critical services. This federal interagency body oversees and coordinates efforts related to PNT systems in the United States, focusing on the availability, reliability, and security of services like the Global Positioning System (GPS) to support national security and economic interests. 
• Space Weather Operations, Research, and Mitigation (SWORM) Subcommittee: CISA co-chairs this interagency body organized under the National Science and Technology Council (NSTC). SWORM coordinates federal actions to achieve objectives outlined in the National Space Weather Strategy and Action Plan (NSW-SAP), which mandated the establishment of the Space Weather Advisory Group (SWAG).
• Space Weather Advisory Group (SWAG):  As a member of the SWAG, NRMC provides recommendations to the SWORM interagency working group that enhance the United States’ preparedness for and response to space weather events by aligning research to operational strategies and developing an integrated approach to space weather observation.
• Space Information Sharing and Analysis Center (ISAC): The Space ISAC facilitates collaboration across the global space industry to enhance preparedness and response efforts; disseminate timely and actionable information among member entities; and serve as the primary communications channel for space sector member organizations, including satellite operators, manufacturers, service providers, and government agencies.
• National Defense Information Sharing and Analysis Center (ISAC): The National Defense ISAC convene Defense Industrial Base critical infrastructure companies, suppliers, and government stakeholders to share cyber and physical security threat indicators, best practices and mitigation strategies.

National Security Memorandum 22 on Critical Infrastructure Security and Resilience (NSM-22) and 6 U.S.C. § 665d2 require that each Sector Risk Management Agency (SRMA) assess sector-specific risk. NSM-22 directs SRMAs to “identify the most significant critical infrastructure risks to their sector, including key cross-sector risks and interdependencies.” On behalf of DHS, which is the SRMA for eight critical infrastructure sectors, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted Sector-Specific Risk Assessments (SRA) in collaboration with sector partners.

The objectives of the SRAs are to: 

• Enhance the security and resilience of critical infrastructure within each sector
• Engage stakeholders and experts to identify significant critical infrastructure sector risks which require collaborative planning 
• Assess the likelihood and potential consequences of identified risks 
• Inform the cross-sector risk assessment 
• Guide mitigation efforts to reduce risk within the sector and across sectors, as appropriate

The risk assessments were developed using CISA’s Sector-Specific Risk Assessment Guidance (June 2024), which applies enterprise risk management best practices to the critical infrastructure risk environment using a scenario-based approach. The methodology is intended to integrate the best available information from a range of qualitative and quantitative inputs to identify and assess the greatest risks to the nation. These risk assessments were developed collaboratively with stakeholders, including federal departments and agencies, state and local government organizations, private sector entities, and members of the intelligence community. 

From May to September 2024, a series of workshops and meetings were held through the sector councils to identify risks, drawing on historical incidents, evidence of vulnerabilities, and potential consequences. This collaborative effort also incorporated intelligence from the Office of the Director of National Intelligence Annual Threat Assessment (2024) and the Department of Homeland Security Office of Intelligence & Analysis Homeland Threat Assessments (2024 and 2025), which informed the evaluation of a broad range of complex threats to U.S. critical infrastructure.

CISA has continued its Connected Communities Initiative (CCI) this year, expanding its resource library and offering new opportunities to engage on risks to connected communities and the technologies that underpin them. Connected communities may create safer, more efficient, resilient communities through technological innovation and data-driven decision-making; however, the integration of smart technologies also introduces potential vulnerabilities that, if exploited, could impact economic security, public health and safety, and critical infrastructure operations. Cyber threat activity against operational technology (OT) systems is increasing globally, and the interconnection between OT systems and smart city infrastructure increases the attack surface and heightens the potential consequences of compromise across these environments. 

CISA partners with international and domestic government agencies at all levels to share risk mitigation best practices and guidance to help prevent and protect against critical disruptions to connected communities. CISA’s work in this space fosters open dialogue and guides domestic and international partners to adopt appropriate security practices in pursuit of secure and resilient connected communities. Some of our recent publications include:

• Connected Communities Guidance - Zero Trust to Protect Interconnected Systems
• Connected Communities Risk Postcard series
• Connected Communities Procurement and Implementation Guidance