Nucleus Security Names Former CISA CIO Robert Costello as Strategic Advisor for Public Sector and Critical Infrastructure

Former CISA CIO joins Nucleus as federal agencies face aggressive 3-day remediation mandates under BOD 26-04 to counter AI-accelerated exploits

SARASOTA, Fla., June 25, 2026 /PRNewswire/ -- Nucleus Security, the leader in unified vulnerability and exposure management, today named Robert "Bob" Costello, former Chief Information Officer of the Cybersecurity and Infrastructure Security Agency (CISA), as Strategic Advisor for Public Sector and Critical Infrastructure. Costello joins as agencies confront CISA's Binding Operational Directive 26-04, which replaces severity-score patching with risk-based prioritization and remediation clocks as short as three days, a shift CISA tied to AI-accelerated exploitation.

Costello will advise Nucleus on serving federal agencies operating under that directive, where teams must now unify fragmented findings, prioritize by real exposure, and defend every remediation decision under audit. He brings the perspective of someone who carried that accountability burden within government rather than from a vendor's seat.

"Inside government, the hardest part of vulnerability management is defending the decision of what to fix first when you're drowning in disconnected data. Under BOD 26-04, agencies can no longer afford to guess. They need to show not just what they fixed, but exactly why that choice was the right one under audit. The Nucleus platform is making that level of accountability operational," said Robert Costello.

"Bob understands the problem Nucleus was built to solve, because he has lived it," said Steve Carter, co-founder and CEO of Nucleus Security. "Few people have managed vulnerability and exposure risk at the scale, complexity, and consequence that he has. Agencies are drowning in fragmented data while being asked to act faster and stand behind every decision they make. Bob has run that gauntlet inside some of the most demanding environments in the world, and his judgment will sharpen how we help every customer move from visibility to measurable, defensible risk reduction."

Costello currently serves as Chief Digital and Information Officer at Merlin Group, bringing his extensive public sector and critical infrastructure expertise to Nucleus in this strategic advisory capacity.

About Nucleus Security

Nucleus Security is the enterprise leader in unified vulnerability and exposure management, enabling organizations to prioritize and mitigate vulnerabilities faster, at scale. As a FedRAMP Moderate Authorized vendor, Nucleus Security supports federal civilian agencies, the Department of Defense, Defense Industrial Base contractors operating under CMMC 2.0 and NIST SP 800-171, and state and local governments in operationalizing CISA mandates, NIST Risk Management Framework requirements, and Zero Trust objectives. Delivering unmatched time-to-value, Nucleus automatically unifies data from across the security and IT toolchain into a single operational view, serving as both the system of record and system of action. Automated workflows and a clear audit trail let teams stand behind every remediation decision.

Contact:
[email protected]

SOURCE Nucleus Security