What agencies must do: The ACS wants strict change-management and download-control mechanisms for all ICT systems. In practice, that means every software installation—whether an application, a driver, or a hardware component—must go through formal approval and auditing before it touches a government machine .
The risk: Attackers increasingly used a technique called "bring your own driver" (BYOVD), exploiting legitimate but vulnerable signed drivers to slip past endpoint detection tools. Once they gained kernel-level access, they could disable security products and deploy ransomware without triggering alarms .
What agencies must do: The ACS calls for a layered defense. Agencies must run regular website vulnerability scans and patch findings immediately. Web application firewalls (WAFs) should be deployed to filter out malicious requests before they hit applications. Critically, endpoint protection must be a continuous operation: security products must be kept updated, and threat-detection rules must evolve as new tactics emerge .
The risk: System maintenance vendors, often with legitimate access to government web servers, installed remote desktop software that agencies never sanctioned. Attackers then brute-forced weak credentials on those tools to log in and move laterally across sensitive systems .
What agencies must do: The fix here is organizational, not just technical. The ACS demands strict vendor security management standards that spell out access controls, data protection rules, vulnerability management procedures, and mandatory incident reporting. Regular security audits and compliance checks must verify that suppliers are following the rules—not just on paper .
The risk: Routers, firewalls, VPN appliances, and other edge devices were left with unpatched firmware or dangerous configuration errors, giving attackers an easy entry point at the perimeter of government networks .
What agencies must do: The ACS recommends a simple but powerful shift: adopt an allowlist strategy for all outbound connections, blocking any unnecessary communication ports by default. Agencies must also inventory every edge device—model number, firmware version—and build a continuous update and verification process so that patches aren’t just applied but confirmed .
The risk: Attackers blended phishing, pretexting, and other social engineering tricks with compromised or misconfigured cloud services to steal sensitive data. Once an employee clicked a malicious link or attachment, data could be exfiltrated through cloud storage that looked legitimate .
What agencies must do: The ACS specifies a two-part defense. First, deploy email filtering and sandbox detection to intercept suspicious attachments and links before they reach users. Second, lock down cloud environments: restrict shared drive permissions, enable file upload scanning, and run security checks on cloud links to stop malicious files from spreading .
The 2025 data tells a larger story. While the total incident count fell by 29 compared to 2024, the overwhelming majority of breaches—more than two-thirds—stemmed from unauthorized access, a category that spans everything from stolen credentials to backdoor implants . The severity spectrum reflects a landscape of constant, low-level harassment: 87.33% of incidents were classified as Level 1 (the least severe), 9.78% as Level 2, and 2.89% as Level 3, with no Level 4 incidents recorded
.
The ACS’s five risk categories mark a shift in official guidance. Earlier warnings, such as those from early 2025, emphasized weak encryption, poor injection-attack screening, and broken access controls . The new list instead targets the human and supply-chain layers that traditional perimeter defenses often miss.
For agencies, the message is unequivocal. The ACS has tied every risk to a specific, auditable action: approve every download, patch every edge device, audit every vendor, and treat every email as potentially hostile. In a threat environment where 68.6% of incidents are intrusions, defense is no longer just about blocking the perimeter—it’s about controlling what happens inside it .