The digital battleground of 2025 saw unprecedented aggression from sophisticated adversaries, yet the United States’ cyber defenses not only held the line but actively pushed it forward, thanks to a revitalized strategic approach from the Cybersecurity and Infrastructure Security Agency (CISA). In a year defined by persistent threats and evolving tactics, CISA demonstrated a marked evolution, transitioning from a reactive posture to one of proactive defense. The agency’s 2025 Year in Review report details a period of significant achievement, where a focus on partnership, innovation, and operational excellence yielded tangible gains in national resilience and set a new standard for public-private cybersecurity collaboration.
A New Proactive Posture CISA’s Strategic Vision for 2025
Throughout 2025, CISA operationalized a modernized strategy built on three core pillars: strengthening collective defense, protecting critical infrastructure, and ensuring operational excellence. This framework moved beyond traditional cybersecurity roles, positioning the agency as the nation’s central coordinator for risk management. The significance of this vision lies in its acknowledgment that no single entity can defend against the full spectrum of modern threats. By defining its mission through these interconnected priorities, CISA established a comprehensive and adaptable blueprint for securing the systems and services Americans rely on daily.
The most profound element of this new vision was the agency’s decisive pivot from incident response to proactive threat mitigation. Historically, government cyber defense often focused on reacting to breaches after they occurred. In contrast, 2025 saw CISA champion a forward-leaning approach centered on active threat hunting, predictive analysis, and the rapid dissemination of actionable intelligence. This shift fundamentally changed the dynamic, enabling network defenders across the country to anticipate and neutralize threats before they could cause significant harm, rather than simply cleaning up the aftermath.
Central to executing this proactive strategy was an unprecedented level of collaboration. CISA deepened its public-private partnerships, recognizing that the vast majority of critical infrastructure is owned and operated by the private sector. The agency also fortified its alliances with federal partners, state, local, tribal, and territorial (SLTT) governments, and international allies. This collaborative ecosystem became the engine for collective defense, creating a force multiplier effect where shared intelligence and coordinated actions produced a security posture far stronger than the sum of its individual parts.
From Strategy to Action Measurable Gains in National Cyber Resilience
Expanding Collective Defense Through Technology and Teamwork
The strategic vision for collective defense materialized through the significant expansion of key technological programs. The CyberSentry program, which provides advanced threat detection for networks supporting National Critical Functions, was broadened to include 42 voluntary partners from the private sector. Concurrently, CISA aggressively scaled its Endpoint Detection and Response (EDR) capability, deploying it to over 60 federal civilian agencies. This deployment provided crucial visibility into network endpoints, enabling near real-time detection and response to sophisticated threats across a vast government attack surface.
This technological expansion was complemented by targeted interagency collaborations that produced concrete security outcomes. Working alongside the Food and Drug Administration, CISA addressed critical flaws in foreign-made patient monitors, which resulted in a product recall and an import ban to protect patient safety. Similarly, a partnership with the U.S. Coast Guard led to the remediation of vulnerabilities in a maritime system used by 80% of the world’s ports. These efforts, along with joint work to secure train automation protocols and commercial airline collision avoidance systems, demonstrated the power of a whole-of-government approach to securing critical sectors.
To ensure these defensive measures would hold up under pressure, CISA conducted 148 comprehensive security exercises throughout the year. These drills engaged over 10,000 participants from government and industry, simulating a range of cyber and physical threat scenarios. Far from being simple procedural checks, these exercises were designed to test the limits of existing resilience plans, identify hidden gaps in coordination and response, and build the institutional muscle memory needed to act decisively during a real-world crisis.
By the Numbers Quantifying CISA’s Impact on the Threat Landscape
The success of CISA’s proactive stance in 2025 is starkly illustrated by its performance metrics. The agency successfully blocked an astonishing 2.62 billion malicious connections from reaching federal civilian executive branch networks. Furthermore, it prevented an additional 371 million malicious connections aimed at critical infrastructure partners, showcasing the effectiveness of its defensive technologies at a massive scale. These figures represent countless potential intrusions, data breaches, and disruptions that were thwarted before they could materialize.
At the heart of this defensive effort was CISA’s 24/7 Operations Center, which served as the nation’s primary hub for cybersecurity incident management. Over the year, the center triaged more than 30,000 reported incidents, providing expert analysis and response coordination. It also served as a vital information-sharing node, publishing over 1,600 distinct cybersecurity products, including alerts, advisories, and technical guidance. This consistent output of actionable intelligence equipped partners across all sectors with the information needed to bolster their own defenses.
Looking ahead, the agency’s defensive capabilities are set to grow even stronger. The expansion of the EDR program in 2025 brought its coverage to over 500,000 endpoints within the federal government. This vast network of sensors provides an unparalleled level of insight into adversary activity, forming a foundation for more sophisticated threat hunting and automated response actions. The data gathered from these endpoints will continue to refine CISA’s understanding of the threat landscape, enabling more precise and effective defensive measures in the years to come.
Confronting an Evolving Threat Landscape CISA’s Response to Modern Adversaries
One of the greatest challenges in modern cybersecurity is the overwhelming volume of software flaws. To address this, CISA leaned heavily on its Known Exploited Vulnerabilities (KEV) catalog, adding 238 new high-risk vulnerabilities in 2025. The KEV catalog is not merely a list; it is a directive that mandates federal agencies to remediate specific flaws known to be actively used by adversaries. To help private sector partners prioritize, CISA also utilized the Stakeholder-Specific Vulnerability Categorization (SSVC) framework to assess over 43,000 vulnerabilities, translating complex technical data into clear, actionable guidance on which patches to apply first.
The increasing complexity of software supply chains presented another critical challenge. Malicious actors have shifted their focus to compromising software at its source, making it difficult for organizations to trust the tools they use. In response, CISA developed and promoted practical guidance and resources aimed at mitigating these risks. This included fostering the adoption of Software Bills of Materials (SBOMs), which provide a transparent inventory of the components within a piece of software, allowing organizations to rapidly identify and address vulnerabilities in their software dependencies.
Lessons learned from past incidents, particularly the SolarWinds supply chain compromise, drove significant internal modernization at CISA. Recognizing the risk of being part of a monolithic government network, the agency completed the development of its own segmented enterprise IT ecosystem. This initiative not only enhanced CISA’s internal security posture but also streamlined its ability to process and analyze threat data from across the nation. This internal resilience ensures CISA can continue its mission even if other parts of the federal government are compromised.
Shaping Policy and Empowering Partners CISA’s Regulatory and Guidance Initiatives
In December 2025, CISA released the updated Cross-Sector Cybersecurity Performance Goals (CPG) 2.0, a landmark guidance document for critical infrastructure owners and operators. Aligned with the latest NIST Cybersecurity Framework, the CPGs provide a clear, prioritized baseline of recommended security practices. Rather than a one-size-fits-all mandate, this guidance offers a common set of foundational measures that organizations across all 16 critical infrastructure sectors can implement to significantly reduce their risk profile against the most common and impactful threats.
Recognizing that many state, local, and tribal entities lack the resources to implement robust cybersecurity programs, CISA worked with the Federal Emergency Management Agency (FEMA) to administer vital federal funding. In 2025, over $100 million in grants were distributed, with $91.7 million allocated through the State and Local Cybersecurity Grant Program and another $12.6 million through the Tribal Cybersecurity Grant Program. These funds directly empowered local communities to develop resilience plans, hire cybersecurity staff, and adopt modern security technologies, strengthening the nation’s defenses from the ground up.
The agency also remained agile in its response to emerging threats and policy directives. Following an executive order focused on the security risks posed by unmanned aircraft systems (UAS), CISA launched the “Be Air Aware” initiative. This program delivered a suite of security guides and resources to help public and private organizations understand and mitigate potential threats from drones, demonstrating CISA’s ability to quickly pivot and provide timely guidance on new and evolving security challenges.
Forging the Future of Defense Innovations in Tools and Internal Operations
To empower network defenders on the front lines, CISA developed and released innovative new resources throughout 2025. Chief among them was the “Eviction Strategies Tool,” a comprehensive solution designed to help security teams rapidly contain and permanently eject adversaries from compromised networks. This tool includes a playbook generator for creating tailored incident response plans and a database of countermeasures mapped to common adversary tactics, providing defenders with a clear roadmap for remediation.
CISA also focused on integrating security into the earliest stages of the technology lifecycle. The agency launched an interactive web tool to guide software acquisition officials in embedding cybersecurity best practices into their procurement processes, ensuring that new products are secure by design. In parallel, CISA collaborated with the NSA and 19 international partners to publish a comprehensive guide on implementing Software Bills of Materials (SBOMs), helping organizations worldwide gain crucial visibility into their software supply chains.
This commitment to innovation extended to CISA’s own internal operations. The agency continued to modernize its infrastructure, migrating 54 federal agencies to a Dashboard-as-a-Service model to lower hosting costs and improve security visibility. In a demonstration of responsible stewardship, CISA’s own Red Team achieved a 25% reduction in its cloud infrastructure costs through targeted optimization efforts. These internal improvements in efficiency and security enabled CISA to better serve its partners and execute its national mission more effectively.
A Resilient Nation Synthesizing 2025’s Success and Charting the Path Forward
The achievements of 2025 solidified CISA’s position as the nation’s essential cyber defense agency. Through a combination of proactive threat hunting, deep collaboration, and the delivery of practical tools and guidance, CISA made measurable progress in hardening the country’s defenses against a relentless barrage of cyber threats. From blocking billions of malicious connections to empowering local communities with federal grants, the agency’s work had a tangible impact on the security of American networks and infrastructure.
Ultimately, the success of the year was rooted in a foundational shift toward a partnership-driven defense strategy. The year proved that national cyber resilience is not something the government can impose but rather a collective responsibility that must be shared between public and private entities. CISA’s role as a central coordinator, trusted advisor, and information-sharing hub was instrumental in fostering the collaboration necessary to protect a distributed and interconnected digital ecosystem.
Looking back, 2025 stands as a testament to what can be accomplished when strategy is seamlessly translated into action. The proactive and collaborative posture adopted by CISA created a powerful defensive momentum that will carry into the years ahead. The agency’s commitment to continuous innovation and strengthening partnerships has built a stronger, more resilient nation, better prepared to anticipate and preempt the threats of tomorrow.
