CISA Ransomware Guidance: Federal Resources and Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) serves as the federal government's primary civilian authority for ransomware guidance, publishing binding advisories, voluntary frameworks, and sector-specific resources that shape how US organizations prepare for and respond to ransomware incidents. CISA's ransomware program operates under the Stop Ransomware initiative, a cross-agency effort that consolidates threat intelligence, technical mitigations, and reporting infrastructure into a single public-facing platform. Understanding the scope and structure of CISA's resources is essential for security teams, incident responders, and compliance professionals navigating federal expectations.

Definition and scope

CISA defines ransomware as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable" until a ransom demand is satisfied (CISA Stop Ransomware). Under this definition, CISA's guidance scope covers encryption-based extortion, data theft extortion (commonly called double extortion ransomware), and hybrid campaigns that combine both methods.

CISA's statutory authority to issue ransomware guidance derives primarily from the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), which established the agency as the national coordinator for critical infrastructure cybersecurity. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) further expanded CISA's role by mandating incident reporting obligations for covered entities — with implementing regulations under active rulemaking as of 2024.

The Stop Ransomware platform consolidates guidance previously distributed across multiple federal agencies. It covers 16 critical infrastructure sectors as designated under Presidential Policy Directive 21 (PPD-21), including healthcare, energy, water, financial services, and government facilities. Sector-specific advisories are coordinated through Sector Risk Management Agencies (SRMAs), with CISA acting as a cross-sector lead.

CISA's ransomware guidance is distinct from law enforcement guidance issued by the FBI, though the two agencies coordinate closely through joint advisories. The FBI's Internet Crime Complaint Center (IC3) received 2,825 ransomware complaints in 2023 (FBI IC3 2023 Internet Crime Report), and joint CISA-FBI advisories frequently accompany high-profile threat actor disclosures.

How it works

CISA's advisory and guidance framework operates across four functional layers:

Threat Intelligence Publication — CISA issues Cybersecurity Advisories (CSAs) that attribute ransomware campaigns to named threat actors, describe tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK framework, and provide indicators of compromise (IOCs). Joint advisories are co-authored with the FBI, NSA, and international partners through the Five Eyes alliance.
Vulnerability Cataloging — The CISA Known Exploited Vulnerabilities (KEV) Catalog (CISA KEV) identifies vulnerabilities that ransomware operators have actively exploited. Federal civilian executive branch (FCEB) agencies are required under Binding Operational Directive (BOD) 22-01 to remediate KEV-listed vulnerabilities within defined timeframes. Private sector organizations are strongly encouraged to treat the KEV catalog as a prioritization baseline for vulnerability management programs.
Framework and Playbook Distribution — CISA distributes the Ransomware Response Checklist as part of its broader Cybersecurity Incident & Vulnerability Response Playbooks, published in November 2021. These playbooks align with the NIST Cybersecurity Framework (CSF) and NIST SP 800-61 Rev. 2 for incident handling.
Reporting Infrastructure — CISA operates a 24/7 reporting line and online portal for ransomware incidents. Under CIRCIA, covered critical infrastructure entities will face mandatory 72-hour reporting requirements for significant cyber incidents once final rules are implemented.

CISA's Pre-Ransomware Notification Initiative, launched in 2023, represents a proactive operational capability: CISA identifies early-stage ransomware intrusions through threat intelligence and notifies potential victims before encryption is deployed, giving organizations a remediation window measured in hours rather than days.

Common scenarios

CISA guidance addresses ransomware across five documented deployment contexts, each associated with distinct advisory series and mitigation profiles:

Healthcare and public health sector attacks — CISA, the FBI, and HHS have jointly issued advisories targeting ransomware groups that specifically attack hospitals and health systems. The healthcare sector faces heightened exposure due to legacy systems and HIPAA-governed data sensitivity. Joint advisory AA23-061A (February 2023) addressed Royal ransomware, which heavily targeted healthcare.

Critical infrastructure and industrial control systems — CISA advisories covering critical infrastructure ransomware include ICS-specific guidance because encryption of operational technology (OT) environments creates physical consequences beyond data loss. CISA's ICS-CERT division coordinates OT-specific mitigations.

Ransomware-as-a-Service (RaaS) operations — CISA's joint advisories consistently describe RaaS affiliate structures, where operators lease ransomware tooling to independent affiliates who execute intrusions. Advisories covering LockBit, BlackCat/ALPHV, and Cl0p have each detailed the affiliate recruitment model and its implications for attribution and response.

Supply chain compromise leading to ransomware — CISA guidance on supply chain ransomware attacks addresses scenarios where a managed service provider (MSP) or software vendor is compromised as the initial access vector, enabling downstream victim deployment at scale. The Kaseya VSA incident of July 2021 prompted CISA to issue an advisory within 24 hours of initial reports.

Government and municipal sector incidents — CISA coordinates with state and local governments through its Multi-State Information Sharing and Analysis Center (MS-ISAC) partnership. Joint guidance for the government sector covers both IT and emergency services continuity during ransomware events.

Decision boundaries

Applying CISA guidance requires organizations to make structured classification decisions across three primary dimensions:

Mandatory vs. voluntary compliance — CISA's guidance is binding on FCEB agencies under BOD directives. For private sector and state/local entities, most CISA ransomware guidance remains voluntary unless sector-specific regulation (such as HIPAA for healthcare or NERC CIP for energy) independently mandates adoption of equivalent controls. CIRCIA, once finalized, will impose mandatory reporting on covered critical infrastructure owners regardless of sector.

Advisory applicability by threat actor profile — Not all CISA advisories apply equally to all organizations. Each Cybersecurity Advisory specifies the targeted sectors, observed initial access vectors (commonly phishing, RDP exploitation, and vulnerable public-facing applications — see ransomware initial access vectors), and the victim profile. Organizations outside the named sectors should still assess whether shared TTPs apply to their environment.

Response framework selection — CISA's Ransomware Response Checklist and the broader NIST SP 800-61 Rev. 2 framework serve different organizational needs. The CISA checklist is operationally oriented, designed for immediate incident response. NIST SP 800-61 provides the full incident response lifecycle framework — preparation, detection, containment, eradication, recovery, and post-incident review — that underpins the checklist's tactical steps. Organizations with mature security operations typically integrate both, using NIST for program structure and CISA advisories for current threat intelligence. For a full treatment of incident response structure, see ransomware incident response.

Reporting thresholds and regulatory obligations — Organizations face overlapping and sometimes conflicting reporting timelines depending on sector, data type, and applicable law. CIRCIA's 72-hour cyber incident reporting requirement, the SEC's 4-day material incident disclosure rule (adopted July 2023), and HHS HIPAA breach notification requirements operate on different clocks and cover different organizational populations. The ransomware reporting requirements reference covers the full matrix of US reporting obligations. CISA explicitly states it does not share reports with enforcement agencies for the purpose of enforcement action, a position designed to encourage voluntary disclosure in advance of mandatory CIRCIA rules.

Organizations evaluating OFAC implications for potential ransom payments should consult both CISA's payment guidance and the Treasury Department's advisory framework — covered in detail under OFAC ransomware sanctions.

References

CISA Stop Ransomware
CISA Known Exploited Vulnerabilities Catalog
CISA Cybersecurity Incident & Vulnerability Response Playbooks (November 2021)
FBI IC3 2023 Internet Crime Report
NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
NIST Cybersecurity Framework (CSF)
[Cybersecurity and Infrastructure Security Agency Act of 2018 (

📜 3 regulatory citations referenced · 🔍 Monitored by ANA Regulatory Watch · View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator