CISA Ransomware Guidance: Federal Resources and Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) functions as the federal government's primary civilian authority for ransomware guidance, publishing binding advisories, voluntary frameworks, and sector-specific resources that define federal expectations for US organizations. CISA's ransomware program operates under the Stop Ransomware initiative, a cross-agency effort consolidating threat intelligence, technical mitigations, and reporting infrastructure into a single public-facing platform. The advisories and frameworks produced under this program carry direct implications for incident response planning, regulatory compliance, and federal contract eligibility across critical infrastructure sectors.

Definition and scope

CISA defines ransomware as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable" until a ransom demand is satisfied (CISA Stop Ransomware). Under this operational definition, CISA's guidance scope encompasses three distinct attack categories:

CISA's statutory authority to issue ransomware guidance derives from the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), which established the agency as the national coordinator for civilian federal cybersecurity and critical infrastructure protection. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) further expanded CISA's mandate by requiring covered entities to report ransomware payments within 24 hours of payment (CISA CIRCIA overview).

The ransomware providers tracked across this reference reflect the threat actor categories and variant families addressed in CISA's published advisory record.

How it works

CISA's advisory infrastructure operates through a structured publication and dissemination model organized across three primary output types.

1. Joint Cybersecurity Advisories (JCAs)
Joint advisories are co-authored with partner agencies including the FBI, the National Security Agency (NSA), and international counterparts such as the UK's National Cyber Security Centre (NCSC). Each JCA documents a specific ransomware variant or threat actor group, providing indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs) mapped to the MITRE ATT&CK framework, and prioritized mitigations. Between 2021 and 2023, CISA published more than 40 advisories specifically addressing named ransomware groups, including LockBit, BlackCat/ALPHV, and Royal.

2. Stop Ransomware Guides
Sector-agnostic mitigation guides consolidate best practices drawn from NIST SP 800-53 (NIST) and NIST SP 800-184. These documents outline pre-incident hardening measures — network segmentation, offline backup validation, multi-factor authentication deployment — alongside response phase actions covering containment, forensic preservation, and recovery sequencing.

3. #StopRansomware Alert Series
Shorter-form flash alerts issued in near-real-time when CISA identifies active exploitation of a vulnerability by ransomware operators. These alerts integrate CVE identifiers and direct organizations to apply patches from CISA's Known Exploited Vulnerabilities (KEV) catalog (KEV catalog), which as of 2024 verified more than 1,100 vulnerabilities with mandatory remediation timelines for federal civilian agencies under Binding Operational Directive 22-01.

The advisory process draws on threat intelligence shared through the Automated Indicator Sharing (AIS) program and reporting submitted via the CISA reporting portal, creating a feedback loop between victim organizations and published guidance.

Common scenarios

CISA advisories address ransomware incidents across a defined set of recurring attack scenarios that recur across sectors:

Critical infrastructure targeting: CISA's sector-specific guidance addresses the 16 critical infrastructure sectors designated under Presidential Policy Directive 21 (PPD-21). Healthcare and public health, water and wastewater systems, and the energy sector appear as the most frequently cited targets in CISA advisories, with healthcare organizations representing a disproportionate share of reported incidents due to legacy system prevalence and operational pressure to restore services rapidly.

Managed Service Provider (MSP) compromise: CISA has issued dedicated guidance — including Advisory AA22-131A — warning that ransomware operators exploit MSP access to propagate attacks across multiple downstream customer environments simultaneously. A single compromised MSP can expose dozens of client organizations within a single campaign.

VPN and remote access exploitation: CISA's advisory record consistently identifies unpatched VPN appliances and remote desktop protocol (RDP) exposure as primary initial access vectors. The KEV catalog flags VPN vulnerabilities from vendors including Fortinet, Pulse Secure, and Citrix as actively exploited by ransomware operators.

Supply chain and software compromise: Advisories addressing groups such as Cl0p have documented exploitation of managed file transfer software vulnerabilities (including MOVEit Transfer, CVE-2023-34362) to achieve mass data exfiltration across thousands of organizations without traditional encryption-based ransomware deployment.

The contrast between encryption-focused ransomware and pure data extortion campaigns is operationally significant: encryption attacks require decryption key recovery or system rebuild, while data extortion campaigns may leave systems operational but impose disclosure obligations under breach notification statutes regardless of whether a ransom is paid.

For context on how these incident types are categorized within this reference, see the ransomware provider network purpose and scope.

Decision boundaries

Understanding where CISA guidance applies — and where it defers to other regulatory frameworks — defines the operational boundaries for compliance professionals and security teams.

CISA guidance vs. binding regulation: The majority of CISA's ransomware publications are voluntary for private-sector entities outside federal contracting and critical infrastructure obligations. Binding requirements derive from CIRCIA (for covered critical infrastructure entities), FISMA (for federal agencies and contractors), and sector-specific regulators such as HHS under HIPAA (45 CFR §164.400–414) and NERC CIP standards for bulk electric system operators.

Applicability thresholds under CIRCIA: CIRCIA's 24-hour ransomware payment reporting requirement and 72-hour significant incident reporting requirement apply to "covered entities" as defined by CISA's forthcoming rulemaking. Until final rules are published, CISA has published an interim guidance document outlining which sector categories fall within scope (CISA CIRCIA FAQ).

Federal vs. state obligations: CISA guidance does not supersede state-level data breach notification laws. Organizations subject to a ransomware incident involving personal data face parallel notification timelines under state statutes — 46 states have enacted breach notification laws with varying trigger thresholds and deadlines — independent of any CISA reporting.

Advisory classification distinctions:

  1. Joint Cybersecurity Advisory (JCA): Carries the authority of multiple federal agencies; addresses named threat actors with attribution confidence.
  2. CISA Alert: Rapid-response publication; addresses active exploitation without full attribution.
  3. CISA Advisory: Broader guidance documents covering defensive architectures, not tied to a specific active campaign.
  4. Binding Operational Directive (BOD): Mandatory for federal civilian executive branch agencies only; the KEV remediation timelines in BOD 22-01 do not directly bind private-sector entities.

Security teams navigating these distinctions can cross-reference applicable advisories against the threat actor and variant data available through how to use this ransomware resource.

References

 ·   · 

Read Next

Ransomware Decryptor Tools: Free Resources and No More Ransom Project ANA › Professional Services Authority › National Cyber › Ransomware Network: Purpose and Scope Ransomware Decryptor Tools: Free... Active Directory Exploitation in Ransomware Attacks ANA › Professional Services Authority › National Cyber › Ransomware Network: Purpose and Scope Active Provider Network Exploitation in... Ransomware Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › Ransomware Network: Purpose and Scope Ransomware Network: Purpose and Scope The...