The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is intensifying its coordinated vulnerability disclosure (CVD) program, urging private-sector organizations - including manufacturers, energy operators, and critical infrastructure owners - to actively report exploitation data and integrate agency threat intelligence into their security workflows. The effort is backed by updated cross-sector guidance, expanded catalog resources, and a formal vendor accountability timeline that applies across both information technology (IT) and operational technology (OT) environments.

Background

CISA's Coordinated Vulnerability Disclosure Program identifies, verifies, and coordinates the responsible disclosure of vulnerabilities across critical infrastructure technologies, including IT, OT, industrial control systems (ICS), medical devices, Internet of Things systems, AI systems, and open-source software. The program operates under statutory authority allowing CISA to receive and act on vulnerability information affecting any system that intersects with critical infrastructure, whether inside or outside federal networks.

The pace of the threat environment has forced the agency to scale rapidly. In fiscal year 2025, federal agencies participating in CISA's Vulnerability Disclosure Policy (VDP) Platform received over 12,800 vulnerability reports from public security researchers, including over 1,200 valid reports, of which agencies remediated 1,099 - a 90% remediation rate. Separately, CISA added 238 high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in FY 2025, enabling organizations to identify and patch actively threatened systems more quickly. The KEV catalog is the agency's authoritative list of CVEs confirmed as exploited in the wild. CISA assessed and scored more than 43,000 vulnerabilities using its Stakeholder-Specific Vulnerability Categorization (SSVC) framework - a decision-tree model that converts complex technical data into clear remediation priorities.

The industrial sector faces compounding exposure. According to analysis of CISA ICS advisories from 2024 to 2025, there are 29 known exploited vulnerabilities affecting industrial control systems across multiple vendors, with Siemens accounting for 16 of those exploited CVEs, or 55% of the total, followed by Rockwell Automation and Schneider Electric each with three. Advisory counts have climbed steadily, with critical manufacturing and energy remaining the most impacted sectors, followed by commercial facilities, transportation, and water. CISA's own assessments note that many ICS environments continue to operate legacy technologies and proprietary protocols originally designed for operability and reliability rather than cybersecurity, with many still using outdated operating systems and protocols that lack encryption or authentication mechanisms.

Details

CISA's primary intake channel for external vulnerability reports is the Vulnerability Information and Coordination Environment (VINCE), a secure platform hosted by Carnegie Mellon University's Software Engineering Institute (SEI) and sponsored by CISA, which accepts anonymous reports. The agency is also processing a new standardized Vulnerability Reporting Submission Form, refined following a public comment period that concluded in September 2025, designed to improve intake and triage without creating an entirely new framework.

On vendor accountability, in cases where a vendor is unresponsive or will not establish a reasonable remediation timeframe, CISA may disclose vulnerabilities as early as 45 days after the initial contact attempt, regardless of whether a patch is available. This policy aims to prevent indefinite suppression of vulnerability information and reduce exploitation windows for organizations that depend on timely disclosure.

CISA formalized its approach to the IT/OT gap in December 2025 with the release of Cross-Sector Cybersecurity Performance Goals version 2.0 (CPG 2.0), which consolidates previously separate IT and OT goals into unified cross-sector objectives and introduces a new "Govern" function emphasizing executive accountability, risk management, and leadership-level oversight of cybersecurity programs. CPG 2.0 aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and incorporates three years of operational feedback, according to the agency. The CPG 2.0 framework explicitly addresses OT-specific patching constraints, recommending that for assets where patching risks availability or safety, compensating controls such as network segmentation and enhanced monitoring be applied and formally documented.

According to CISA, CPG 2.0 also expanded the CyberSentry Program to 42 voluntary critical infrastructure partners, delivering advanced threat detection and monitoring for networks supporting National Critical Functions.

For threat intelligence integration, the agency recommends that organizations maintain codified internal procedures for reporting confirmed incidents to CISA and relevant sector Information Sharing and Analysis Centers (ISACs) or ISAOs within timeframes set by applicable regulatory guidance. CISA notes that without timely incident reporting, the agency and other stakeholders lack the critical data needed to identify whether broader campaigns are targeting a specific sector. This requirement will be reinforced once rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) takes full effect.

Outlook

CISA has signaled continued expansion of its CVE program stewardship, with priorities that include raising minimum standards for CVE record quality, developing federated enrichment mechanisms, and incorporating automation and machine learning into vulnerability prioritization workflows. A new CISA Cyber Security Evaluation Tool (CSET) assessment module for CPG 2.0, inclusive of the updated goal set and implementation scales, was planned for availability in Q1 2026. Organizations operating mixed IT/OT environments - particularly in manufacturing, energy, and transportation - face increasing pressure to align patch management workflows and incident reporting structures with CPG 2.0 minimums as CIRCIA rulemaking advances.