Over the past decade, CISA has fundamentally transformed federal civilian cybersecurity and measurably improved agency security posture. In CISA’s 2025 Year in Review report, the agency shared that they had stopped 2.62 billion malicious connections on federal civilian networks and 371 million within critical infrastructure. CISA’s cyber capabilities work—they block threats, detect compromises, and provide the visibility that agencies previously lacked.
Yet CISA’s success has revealed a new challenge: modern adversaries don’t respect the boundaries between security tools. A sophisticated attack can begin with phishing, bypass DNS filtering, compromise an endpoint, establish command and control through legitimate cloud services, and exfiltrate data through approved channels, generating alerts across multiple systems.
One such attack occurred last September when a threat actor used AI agentic capabilities to attack several high-profile institutions, including government agencies. Without a cohesive, integrated cybersecurity system, these alerts may be seen as isolated signals rather than a coherent threat narrative.
In today’s evolving cyber landscape, federal leaders should build on CISA’s strong foundational cybersecurity by catalyzing the next evolution: moving from effective point capabilities to an integrated, full-spectrum defense that matches the sophistication of modern threats.
From Effective Tools to A Unified Defense
The protective capabilities CISA has deployed deliver measurable value and have already prevented countless incidents — Protective DNS blocks millions of malicious domains daily; CDM provides unprecedented visibility into agency IT assets and vulnerabilities; and endpoint detection tools identify malicious processes that traditional antivirus misses.
The challenge emerges not from individual tool limitations but from how these capabilities interact — or more precisely, how they don’t. When agencies operate multiple security tools independently, three critical gaps emerge: visibility fragmentation, response coordination complexity and intelligence gaps.
Visibility fragmentation occurs when security data remains trapped within individual platforms. Analysts investigating suspicious activity must manually pivot between DNS logs, endpoint alerts, network traffic captures, identity system events and more. This switching between systems can slow down investigation and increase the likelihood that critical connections go unnoticed.
Likewise, containing a threat across multiple security domains — from blocking malicious domains in DNS, isolating affected endpoints, updating firewall rules, and potentially revoking compromised credentials — can result in response coordination complexity i.e. separate workflows and sequential execution, allowing adversaries time to adapt.
Finally, intelligence gaps can prevent agencies from identifying patterns spanning network behavior, user activity, endpoint processes, application access and more that can indicate a sophisticated, multi-stage attack.
The Integrated Advantage
To tackle these challenges, federal leaders should adopt an integrated cybersecurity approach to leverage their existing, effective tools. With integration, components share intelligence, coordinate responses, and present analysts with contextualized information that enables decisive action.
Integration means approaching cybersecurity with that element at the forefront — meaning that CISA will need to approach its federal cybersecurity posture differently moving forward. To move towards integrated cybersecurity, CISA should look to pull in agency stakeholders, streamline data access for agencies and consider developing a rapid, prototyping capability to accelerate initiatives as needed.
Involving agency leadership and stakeholders will allow for input on cybersecurity tools and systems that more accurately reflect federal workers’ current tech environments and align more with individual agency mission needs. Stakeholder input — from development to launch and execution — will make security systems more accessible to workers on the cyber frontline of their agencies and will likely result in more buy-in and increased integration as stakeholders can consider what other systems and tools they are already using.
Likewise, agency stakeholders would benefit from additional access to the data produced by protective DNS and other cybersecurity tools. Alerts and emails are beneficial — but additional data can paint a more cohesive picture for a federal cyber worker on what may be impacting an individual agency and where their weaknesses are. Isolating affected endpoints and revoking access are great immediate steps, but providing more data in the hands of trusted federal employees can allow for increased coordination and integration.
For more emerging technologies or tools to counter rapidly evolving threats, CISA should consider a rapid prototyping program. Working alongside select agency partners, CISA could develop, launch and test a capability within an agency environment to get user feedback and initial diagnostics to be able to launch quick-acting solutions for individual agency needs.
Finally, CISA and agency leaders should look to partner with organizations who deeply understand both cybersecurity requirements and the operational realities that agencies face daily. Partners to federal agencies must have team members who have operated security operations centers, responded to federal incidents, and implemented defenses within the constraints of government IT environments. They need to understand what works within federal mandates for FedRAMP compliance, authority to operate processes, and FISMA requirements.
Protective DNS, endpoint detection, vulnerability management, and continuous diagnostics have delivered measurable improvements to the nation’s federal civilian agency security posture; integration will unlock their full potential.
By partnering strategically, coordinating with agency stakeholders, providing increased data and developing a rapid prototyping capability, CISA can move forward towards implementing an integrated cybersecurity foundation across the federal government — continuing its legacy of protecting our nation and its resources for many years to come.
