Texas A&M System Joins Operation Winter SHIELD
Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) distills the FBI’s 10 most impactful actions organizations can take to improve resilience against cyber intrusions. These recommendations were developed with domestic and international partners and draw on recent investigations to reflect adversary behavior and defensive gaps.
Below are the FBI's recommended actions along with enhanced commentary or guidance from Texas A&M System Cybersecurity for members to implement the recommended actions.
Adopt phish-resistant authentication
Why: Many breaches start with stolen passwords. Phish-resistant methods make it significantly harder for attackers to gain access.
The A&M System provided guidance to members in July 2025 to begin eliminating MFA methods that were not considered phish-resistant. We continue to encourage members to adopt phish-resistant solutions and deprecate legacy MFA methods as soon as possible.
Implement a risk-based vulnerability management program
Why: Adversaries often exploit known vulnerabilities that remain unaddressed due to a lack of ownership, an undefined mitigation process, and unclear deadlines for resolution.
The A&M System considers vulnerability management to be an essential part of a robust information security program. Members should utilize CISA Known Exploited Vulnerabilities (KEV) indicators with their vulnerability management platform to prioritize remediation of those vulnerabilities that do not have compensating controls to prevent exploitation.
Track and retire end-of-life technology on a defined schedule
Why: End-of-life systems no longer receive security updates and, as a result, are routinely targeted.
The A&M System has made a substantial investment in a unified cyber asset management platform to enable members’ visibility and insight into managed assets and their associated risks, including end-of-life status.
Manage third-party risk
Why: An organization’s security extends only as far as its least-protected vendor with network or data access. Adversaries often exploit these gaps to bypass stronger defenses.
The A&M System leverages third-party risk management and attack surface management platforms to monitor risks from the system’s most commonly utilized vendors and consider those risks in the overall cyber defense posture. Members are encouraged to further adopt the system's third-party risk management platform to monitor member-specific vendors.
Protect security logs and preserve for an appropriate time period
Why: Reliable, preserved logs are essential for detection, response, and attribution. Adversaries often attempt to erase them.
The A&M System consumes and preserves relevant security logs from all systems protected under the Managed Detection and Response service in an isolated environment that would be inaccessible to adversaries during an attack on a member institution.
Maintain offline immutable backups and test restoration
Why: Backups are routinely targeted early in intrusions; resilience depends on isolation and tested recovery.
The A&M System has partnered with Texas A&M University to offer an immutable backup and data protection solution, enabling members to store critical institution data in a backup store isolated from the member’s production environment.
Identify, inventory, and protect internet-facing systems and service
Why: Unnecessary exposure creates low-effort entry points for attackers.
The A&M System utilizes several third-party sources of data to identify the internet-facing attack surface for each member and engages members when risks in need of mitigation are observed.
Strengthen email authentication and malicious content protections
Why: Email remains a favored initial access vector for intrusions and fraud.
The A&M System’s Managed Detection and Response service disrupts the kill chain when an adversary attempts to exploit a user through email to launch a cyber attack.
Members must continue to regularly educate users of the signs of fraudulent emails and the importance of adhering to business processes so as to not become a victim of business email compromise.
Reduce administrator privileges
Why: Broad, persistent administrative access enables rapid escalation when credentials are compromised.
The A&M System recommends minimizing the use of administrator privileges to the greatest extent possible. Use tools such as self-service software centers and endpoint privilege management to scope and limit the level and duration of administrative privilege assigned to standard users.
Exercise your incident response plan with all stakeholders
Why: Practiced organizations respond faster, contain more effectively, and reduce impact.
The A&M System provides tabletop exercises for incident response integrated with the managed detection and response service, and partners with third-party consultancies to deliver a variety of other tabletop exercises for members.
For detailed guidance on how to implement the ten actions outlined above, visit the FBI’s Operation Winter SHIELD website at https://www.fbi.gov/investigate/cyber/ten-actions-to-improve-cyber-resiliency.