Operation Winter SHIELD: The FBI Is Telling You Exactly What to Fix — And Why Most Organizations Still Get Breached

The FBI's Operation Winter SHIELD distills 10 proven defensive controls from real-world investigations — and its message is blunt: most organizations get breached because they don't implement what they already know works.

WASHINGTON, D.C. — Operation Winter SHIELD is coordinated by the FBI Cyber Division with participation from field offices across the United States. Microsoft has publicly endorsed and is providing implementation resources alongside the initiative. Brett Leatherman, Assistant Director of the FBI's Cyber Division, described the controls as designed not "to check boxes" but to "start the conversation" and drive genuine security posture improvement. Each week of the nine-week campaign, the FBI connected one control to a real investigation — showing what specific breach it would have prevented.

The ten defensive actions

Why these ten, why now

Operation Winter SHIELD is not a new framework — every one of the ten actions is either already required by existing regulations or has been in standard guidance for years. The FBI's rationale is explicit: most security incidents happen not because organizations chose the wrong product or framework, but because well-known controls are not consistently implemented in production. The implementation gap between security policy and security enforcement is where most breaches originate. To understand exactly what types of attacks these controls stop, see our primer on the most common cybersecurity threats facing organizations in 2026. The RAMP ransomware marketplace database leak illustrates precisely why actions 6, 8, and 9 are FBI enforcement priorities. All policy and government cybersecurity coverage is tracked on The CyberSignal.

Microsoft's participation

Microsoft's endorsement of Operation Winter SHIELD — including Baseline Security Mode guidance — signals significant industry alignment. Microsoft's framing mirrors the FBI's: "Security maturity is not measured by what exists in policy documents or architecture diagrams. It is measured by what is enforced in production."

What to do now

Review the full guidance at fbi.gov/wintershield. Use the ten actions as a gap assessment: for each control, ask whether it is enforced in production — not just documented. Pay particular attention to actions 8 (third-party risk) and 9 (phish-resistant authentication), which address the most prevalent breach vectors in 2025-2026 FBI investigations. Prioritize FIDO2 hardware key deployment for privileged accounts before standard MFA for all accounts.

The CyberSignal Analysis

Signal 01 — The FBI is admitting that awareness alone has failed

Operation Winter SHIELD's explicit focus on implementation over awareness is a public acknowledgment that two decades of security awareness campaigns have not solved the fundamental problem. The FBI now treats implementation execution as the primary gap — not knowledge, not budget, not intent.

Signal 02 — Third-party risk is now an FBI enforcement priority

The inclusion of third-party risk management as one of ten FBI-prioritized controls reflects the bureau's view that vendor access has become the dominant breach vector for well-defended organizations. Every major breach the FBI investigated in the past two years involved some element of third-party access exploitation.

Signal 03 — Phish-resistant MFA is the single highest-impact change available

The FBI's prioritization of FIDO2/passkeys over standard MFA reflects investigative reality: SMS OTP, push notifications, and TOTP-based MFA are all bypassed routinely by criminal toolkits. FIDO2 eliminates the entire category of attacks that bypass conventional MFA. If only one control from this list gets implemented this week, it should be hardware security keys for privileged accounts.