The Cybersecurity and Infrastructure Security Agency released a supplement to its March 3 emergency directive outlining new steps agencies need to take over the next three months.