Skip to main content

Cybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) is a U.S. federal agency responsible for coordinating national efforts to protect and enhance the cybersecurity and resilience of critical infrastructure across public and private sectors.

  • National cybersecurity risk management guidance, advisories, and best-practice frameworks for enterprises
  • Operational cyber defense support, incident coordination, and threat response for government and critical infrastructure organizations
  • Security assessments, vulnerability scanning, and protective services for networks, systems, and industrial control environments
  • Information sharing programs and partnerships with public- and private-sector operators of critical infrastructure
  • Technical resources, training, and tools to support cybersecurity resilience and infrastructure protection planning

More About Cybersecurity and Infrastructure Security Agency (CISA)

CISA functions as the U.S. government’s civilian cybersecurity and critical infrastructure agency, working with federal, state, local, tribal, territorial, and private-sector entities to manage cyber and physical risks to critical infrastructure sectors such as energy, transportation, communications, healthcare, financial services, and government facilities. For enterprise and institutional stakeholders, CISA acts as a central coordination point for threat information, risk guidance, and technical assistance related to both information technology (IT) and Operational technology (OT) environments.

The agency publishes cybersecurity advisories, alerts, and best-practice documents that map directly into enterprise security architectures and programs, including guidance on secure configuration, zero trust architectures (security architecture), multi-factor authentication (identity and access management), software and Supply Chain Risk Management (SCRM), and cloud security practices (cloud security). CISA’s materials often reference and align with widely adopted frameworks such as the NIST Cybersecurity Framework (governance, risk, and compliance) and other federal standards, providing reference models that enterprises can use in Governance, Risk, and Compliance (GRC) efforts.

CISA operates technical services that many organizations integrate into their Security Operations (SecOps) workflows. These include vulnerability scanning and assessment offerings (vulnerability management), phishing assessments and cyber hygiene services (security awareness and testing), and incident coordination support for cyber events that affect critical infrastructure (incident response). The agency also coordinates disclosure and remediation of software vulnerabilities, providing advisories and Known Exploited Vulnerabilities (KEV) catalog content that security teams use in patch management and prioritization.

Information sharing is a core domain: CISA facilitates bidirectional sharing of threat intelligence, Indicators of Compromise (IOC), and mitigation guidance between government and industry partners (threat intelligence). This supports SecOps centers (SOCs) and managed security service providers that require current data on active exploits, malware campaigns, and vulnerabilities targeting critical infrastructure systems. CISA also issues technical alerts related to industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments (OT security), which are used by utilities and manufacturers to harden control networks.

In addition, CISA provides tools, training, and exercises that support enterprise resilience planning, including incident response planning, continuity of operations, and physical security coordination for facilities that underpin digital services. Within a directory or marketplace, CISA aligns to solution areas such as cybersecurity guidance and frameworks, vulnerability and threat advisory services, public-sector incident coordination, OT and industrial control system security, and infrastructure resilience planning. Its outputs are used by CISOs, enterprise architects, risk officers, and infrastructure leaders to benchmark posture, prioritize remediation, and coordinate with public-sector partners on cyber and physical infrastructure security.

At-A-Glance

  • Employees: 2,500
  • Estimated Annual Revenue: $500M-$1B

Connect

Corporate Headquarters

Arlington, VA

Market Segmentation

  • Type: Government
  • Sector: Government
  • Group: Federal
  • Industry: Civilian
  • Sub-Industry: Civilian

Mentions

CISA issues update on missing IPsec integrity for Verizon IMS SIP signaling

June 2, 2026

Overview VoLTE deployments on Verizon’s IMS network have historically lacked IPsec-based integrity protection for SIP signaling, contravening well-established requirements in 3GPP TS 33.203 and GSMA IR.92. As a result, SIP messages—including registration (REGISTER), call setup (INVITE), and messaging (MESSAGE)—were transmitted in plaintext without cryptographic guarantees of integrity or authenticity. Passive analysis of live traffic over multiple months confirmed the consistent absence of SIP Security Agreement headers and ESP traffic, indicating a systematic configuration decision rather than an isolated anomaly. In response to repeated follow-up inquiries, Verizon stated on [insert date] that integrity support is “currently available at their request” and will be extended to all UEs “starting later this year.” Separately, the researchers recently observed that Apple’s iOS 26.5 carrier bundle (released May 11, 2026) includes IMS IPsec-related configuration entries—an indication that device-side support may now be active or enabled in newer software. While this change is promising, its real-world impact remains uncertain: there is no evidence yet that Verizon has modified its network to enforce IPsec, that the configuration is being activated per session, or that integrity is functionally operational in production deployments. Absent explicit verification (e.g., captured ESP traffic or official confirmation), this may reflect preparatory software changes rather than an end-to-end security upgrade. The vulnerability remains active for the vast majority of Verizon VoLTE users during the unprotected period, and until network-level enforcement is observed and confirmed, the risk of on-path signaling manipulation endures. Description CVE-2026-10629 SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network. According to 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the UE and P-CSCF in IMS networks must be protected using IPsec ESP with mandatory integrity following IMS AKA authentication. This protection is negotiated via SIP Security Agreement headers (Security-Client, Security-Server, Security-Verify) during registration and results in integrity-protected ESP traffic for all subsequent signaling messages. However, observations conducted over several weeks on Verizon’s network showed no such headers in use. The REGISTER exchange lacked any security negotiation, and post-registration SIP traffic—including INVITE, MESSAGE, BYE, and UPDATE—traversed the network in plaintext over standard UDP/TCP, with no ESP encapsulation. This pattern was consistent across device models and network conditions, indicating a systemic configuration decision rather than a transient issue. The absence of integrity checking means any modification to SIP messages—including redirection of emergency calls or injection of fake message payloads—would go undetected by both the UE and the IMS core. No technical justification for this deviation from globally adopted security practices has been provided by Verizon, and prior engagement failed to elicit a substantive response beyond the recent, non-binding commitment to future deployment. Impact The lack of IPsec integrity protection enables on-path attackers—including those controlling femtocells, compromised base stations, or IMS intermediaries—to intercept, modify, replay, or inject SIP messages without detection. These capabilities permit call hijacking, spoofing of SMS-over-IMS, denial-of-service through forged BYE or CANCEL, and manipulation of emergency call routing—without requiring compromise of the UE, SIM, or backend infrastructure. Because SIP signaling lacks cryptographic integrity, all such modifications go unnoticed by both the UE and the IMS core, undermining core security assumptions of VoLTE. While the recently observed iOS 26.5 configuration change may signal progress toward a more secure implementation, its operational impact is yet to be demonstrated; until then, the risk remains real and unmitigated for users on unprotected deployments. Solution Until the vulnerability is fully mitigated by Verizon, users and enterprises should continue to assume VoLTE signaling is untrusted for high-assurance operations. Acknowledgements Thanks to DongWon Lee, Jeongmin Choi, and CheolJun Park from Kyung Hee University for their thorough technical report, persistent follow-up efforts, and the additional observation regarding iOS 26.5. Their work has significantly advanced the understanding of this issue and helped keep the discussion grounded in observable behavior. This AI-assisted document was written by Timur Snoke.