The Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response plans to lay out its first strategic plan, following on the heels of the Trump administration’s new national cybersecurity strategy.
Alex Fitzsimmons, director of the CESER office, said the new strategic plan will be out soon.
“CESER has been around for six years, [since the] first Trump administration,” Fitzsimmons said during a Tuesday event in Washington hosted by Auburn University’s McCrary Institute. “Has never had a strategic plan clearly written down, explaining what the mission is, what the goals, objectives, key performance indicators are that we’re all striving to achieve. Definitely helps that we have a new national cyber strategy.”
The CESER office is responsible for overseeing what’s considered one of the most important U.S. critical infrastructure sectors in energy. The Trump administration’s national cyber strategy, released earlier this month, includes a focus on securing critical infrastructure.
Fitzsimmons noted 80% of the energy sector is owned or operated by the private sector.
“A lot of those organizations are well resourced, but a lot of them are not,” he said. “They might have one person working on [operational technology] or IT, not even a dedicated cyber person, but they’re expected to defend their networks against nation state threat actors.”
He said CESER’s “fundamental” mission is getting critical security information to those in the energy sector.
“We have to be able to get timely and actionable information out to them so that they can secure their networks,” Fitzsimmons said.
OT security has also been a major focus for CESER. Fitzsimmons pointed to OT security training and exercise programs run through the office as key to securing the energy sector.
“Hardening is as much about people and process as it is technology,” he said. “So it’s great to see the cyber strategy, and we are fast at work at DOE, trying to implement many of those pillars.”
Tech pilots
White House National Cyber Director Sean Cairncross, also speaking at the McCrary Institute event, again teased out technology pilots that will be forthcoming as part of the cyber strategy.
Cairncross said his office is working with the Office of Management and Budget and the General Services Administration to “overcome procurement hurdles” and deploy new cyber technologies.
“We’re going to utilize the federal government’s authorities and testing capabilities, including working with the national labs to red team new technology and get it deployed at relevant speed,” he said.
The White House will use pilots in some critical infrastructure sectors as well, Cairncross added. He said the focus would be on sectors “that get less attention,” like water utilities and rural hospitals.
“We’re going to go to specific states and localities, test drive new technologies, work with our industry partners, our state government partners, really engage the state and local partnerships on this front and try to drive the capabilities and the technology level up and the cost down,” he said. “Where we find success, we’re going to scale.”
AI acceleration
Meanwhile, the Cybersecurity and Infrastructure Security Agency is considering how artificial intelligence-driven cyber attacks might warrant updates to the longstanding approach to cyber vulnerability management.
“It’s really reducing that window that we’re seeing where perhaps people had a week to two weeks to be able to address published CVEs to appropriately mitigate it with the patch, or to have some other sort of risk mitigation measure into place,” Nick Andersen, CISA’s acting director, said during the McCrary event. “I just don’t think that’s the case anymore”
CISA sponsors the widely used Common Vulnerabilities and Exposures (CVE) Program, while it directly manages the Known Exploited Vulnerabilities (KEV) database, which includes vulnerabilities that federal agencies are required to address within set timeframes.
“We’re looking at what are the new objectives that we should have for being able to get to a specific measure of what is the timeline associated with how we can prescribe action, whether it’s an entry into the CVE or is an entry that we’ve moved into KEV,” Andersen said.
Chris Butera, acting executive assistant director for cybersecurity at CISA, also discussed vulnerability management and updates to the KEV program during an earlier panel at the McCrary event.
“We’re continuing to do refinements around that program, but we have to add more ways to do automation in this space and continuously move as fast as the adversary is going,” Butera said. “How we address this at scale is really developing more secure software. And so we think there’s a lot of opportunities here and potential challenges with AI being used for software development. So trying to do more and ensuring that we have more secure software and less of that vulnerability space for the adversary to be playing in every day.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
