While the directive showed a “progressive approach to securing federal agencies in the next few months,” it could not be applied to critical infrastructure systems. There are often legitimate reasons why things are not patched within many critical infrastructure environments.
CISA passes directive forcing federal civilian agencies to fix 306 vulnerabilities
