With a distinguished career at the intersection of emerging technologies and public policy, Dominic Jainy offers a unique perspective on the federal government’s evolving cybersecurity landscape. The recent announcement from the Cybersecurity and Infrastructure Security Agency (CISA) that it is retiring ten emergency directives issued since 2019 marks a pivotal moment in this evolution. We sat down with Dominic to explore what this shift signifies for national security, delving into the transition from reactive, crisis-driven responses to a more sustainable and proactive framework. Our conversation covers the practical implications for federal agencies, the collaborative efforts underpinning these successes, and how the “Secure by Design” philosophy is shaping the future of digital defense.
The retired directives span five years and cover major incidents like the SolarWinds and Microsoft Exchange compromises. What does closing these specific directives signify about the federal government’s current security posture, and what key lessons were learned from remediating these diverse, high-profile threats?
Closing these ten directives is a significant milestone; it’s like graduating from a period of intense, reactive fire-fighting. Think back to the chaos of the SolarWinds compromise—it was a sprawling supply-chain attack that required an unprecedented all-hands-on-deck response. The same goes for the Microsoft Exchange vulnerabilities, which sent everyone scrambling to patch on-premises servers. Retiring these directives doesn’t mean the threats are gone, but it signifies that the federal enterprise has successfully remediated those specific issues and, more importantly, has institutionalized the lessons learned. The key takeaway was that an incident-by-incident emergency response isn’t sustainable. This experience forged a commitment to build a more resilient digital infrastructure from the ground up, moving beyond just patching to fundamentally strengthening our systems.
CISA noted that required actions are now enforced through the broader Binding Operational Directive 22-01. How does this shift the daily approach to vulnerability management for federal agencies? Please describe the practical differences between responding to a specific ED versus this ongoing catalog model.
The difference is night and day; it’s the shift from a sprint to a marathon. An Emergency Directive is a blaring alarm bell for a single, five-alarm fire. When ED 21-01 for SolarWinds dropped, agencies had to drop everything else to focus on that one catastrophic threat. It was an urgent, all-consuming effort with a very narrow focus. Binding Operational Directive 22-01, on the other hand, is the new building code. It establishes a permanent, operational rhythm. Now, an agency’s security team isn’t just waiting for the next emergency. They are continuously scanning their networks against a living catalog of known exploited vulnerabilities and must remediate them within a specific timeframe. This creates a culture of proactive cyber hygiene and operational collaboration, rather than one of lurching from one crisis to the next.
Emergency Directives addressed severe risks ranging from DNS infrastructure tampering to vulnerabilities in VMware products. Can you walk us through the collaborative process CISA uses with agencies to achieve remediation? What specific metrics or milestones must be met before a directive is considered closed?
The process is far more than CISA just issuing a mandate and walking away. As the operational lead for federal cybersecurity, CISA works hand-in-glove with the Federal Civilian Executive Branch agencies. It’s an intensive partnership. When a directive is issued, CISA provides technical guidance, assists with threat hunting, and helps validate mitigation steps. An ED isn’t closed until there’s comprehensive verification that the required actions have been implemented across the board. This means confirming that patches are applied, that malicious actors have been evicted from networks, and that compensating controls are in place. The ultimate milestone is confidence that persistent access has been eliminated and the unacceptable risk, especially from nation-state actors, has been neutralized. The directive remains active until that resilient state is achieved and validated.
The closure of these directives has been linked to advancing Secure by Design principles. Beyond patching known exploits, how is this approach changing an agency’s long-term strategy for building a resilient digital infrastructure? Please provide a concrete example of a Secure by Design change.
This is the most critical strategic evolution. Patching is fundamentally a reactive measure; it’s admitting a product was shipped with a flaw. Secure by Design is about preventing those flaws from existing in the first place. It’s a profound shift in mindset for agencies, moving them from being just consumers of technology to being informed customers who demand better security from vendors. For example, instead of an agency buying a new software product and then spending weeks hardening it by turning off insecure default settings, a Secure by Design approach means the procurement contract itself would mandate that the product ships secure by default. It would also require transparency in how the product handles data and interoperability with the agency’s existing security tools, ensuring they can defend their diverse environments effectively from day one.
What is your forecast for the future of federal emergency cybersecurity response?
My forecast is that we will see Emergency Directives become increasingly rare and surgical. The goal of frameworks like BOD 22-01 and the push for Secure by Design is to raise the entire security baseline of the federal government. As this baseline rises, the number of vulnerabilities that can cause a government-wide crisis should decrease. Future EDs will likely be reserved for truly novel, unexpected threats—sophisticated zero-day attacks or major systemic risks that our current playbooks don’t cover. The day-to-day defense will be handled by the continuous, operationalized vigilance that CISA has worked so hard to instill, shifting the federal posture from a constant state of emergency to one of sustained resilience and readiness.