**CISA’s Pre-Ransomware Notification Initiative Faces Disruption After Key Staffer’s Departure**
The Cybersecurity and Infrastructure Security Agency (CISA) has suffered a significant setback to its Pre-Ransomware Notification Initiative (PRNI) following the resignation of its lead staffer, David Stern. Stern, who spearheaded the program, left CISA on December 19 after refusing a forced reassignment to the Federal Emergency Management Agency (FEMA) in Boston, according to four sources familiar with the matter.
Since late 2022, the PRNI has played a critical role in mitigating ransomware threats by alerting organizations—including water systems, energy utilities, healthcare providers, and schools—when attackers are preparing to encrypt or steal their data. Stern, as the sole CISA employee managing these notifications, issued over 1,200 warnings in 2023 and more than 2,100 in 2024, helping prevent billions in potential damages. CISA estimates the program has saved victims over $9 billion in economic losses, including operational disruptions and incident-response costs.
The initiative relies heavily on intelligence from cybersecurity firms, researchers, and infrastructure operators, with Stern’s trusted relationships being a key factor in its success. Sources indicate that his departure has created uncertainty, as the program’s effectiveness depended on his connections within the cybersecurity community. While CISA has stated the program remains operational and is training staff to take over, concerns persist about the loss of institutional knowledge and partnerships.
Stern’s reassignment to FEMA was reportedly finalized after months of resistance, culminating in his resignation. His exit has also strained CISA’s relationships with private-sector partners, who are now reassessing their engagement with the agency. Despite the setback, CISA maintains that it remains focused on its mission to counter cyber threats, though the PRNI remains the only federal effort dedicated to preemptively warning organizations of impending ransomware attacks.
Source: https://www.cybersecuritydive.com/news/cisa-ransomware-warning-program-key-employee-left/808589/
Cybersecurity and Infrastructure Security Agency TPRM report: https://www.rankiteo.com/company/cisagov
Federal Emergency Management Agency TPRM report: https://www.rankiteo.com/company/fema
"id": "cisfem1766513231",
"linkid": "cisagov, fema",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Water systems, energy '
'utilities, healthcare '
'organizations, schools, '
'critical infrastructure '
'operators, foreign governments',
'industry': 'Cybersecurity',
'location': 'United States',
'name': 'Cybersecurity and Infrastructure Security '
'Agency (CISA)',
'size': 'Large',
'type': 'Government Agency'}],
'date_publicly_disclosed': '2023-12-19',
'description': "The Cybersecurity and Infrastructure Security Agency's (CISA) "
'Pre-Ransomware Notification Initiative (PRNI), which warns '
'organizations about imminent ransomware attacks, has suffered '
'a major setback after its lead staffer, David Stern, resigned '
"rather than accept a forced reassignment to FEMA. Stern's "
'departure may significantly hamper the program, which has '
'sent over 3,300 warnings since late 2022, preventing billions '
'in potential damages.',
'impact': {'brand_reputation_impact': 'Strained relationships with '
'private-sector partners and '
'stakeholders',
'financial_loss': 'Potential billions in prevented damages at risk',
'operational_impact': 'Reduced effectiveness of ransomware attack '
'prevention',
'systems_affected': 'PRNI program operations'},
'investigation_status': 'Ongoing',
'lessons_learned': "The PRNI program's success heavily relied on individual "
'relationships and trust with private-sector partners, '
'highlighting the need for institutionalized processes and '
'redundancy in critical roles.',
'motivation': 'Organizational Restructuring',
'post_incident_analysis': {'corrective_actions': 'Preparing multiple staffers '
'to take over PRNI '
'responsibilities and '
'rebuilding trust with '
'private-sector partners.',
'root_causes': 'Forced reassignment of a key '
'staffer without a clear succession '
'plan, leading to program '
'disruption and strained '
'stakeholder relationships.'},
'recommendations': 'Develop a succession plan for critical roles, '
'institutionalize trust-building processes with '
'private-sector partners, and ensure continuity of '
'high-impact programs like PRNI.',
'references': [{'source': 'Cybersecurity Dive'},
{'source': 'SANS Institute Interview with David Stern'}],
'response': {'communication_strategy': 'Public statement by CISA Director of '
'Public Affairs',
'remediation_measures': 'Preparing several staffers to take over '
'for Stern'},
'stakeholder_advisories': 'Private-sector partners are reassessing engagement '
"with CISA due to Stern's departure.",
'title': 'CISA Pre-Ransomware Notification Initiative (PRNI) Setback Due to '
'Key Staffer Departure',
'type': 'Organizational Disruption'}