CISA attributes minimal security improvements to their Performance Goals initiative
The Cybersecurity and Infrastructure Security Agency (CISA) is taking active steps to reduce the remediation times for known exploited vulnerabilities in critical infrastructure organizations.
Through proactive identification, outreach, and enhanced cybersecurity guidance, CISA is making a moderate impact in helping these organizations proactively monitor for known exploited vulnerabilities. Since 2021, the agency has used administrative subpoenas to identify organizations with vulnerable systems via internet scans and has contacted over 3,000 organizations. As a result, 80% of these cases have shielded their systems from internet exposure, reducing risk.
CISA's efforts extend beyond proactive identification. The agency maintains strong support for the CVE program, ensuring timely vulnerability disclosure and patching guidance. CISA also issues emergency directives ordering federal agencies and critical infrastructure operators to patch or mitigate high-risk vulnerabilities within short deadlines.
CISA's initiatives to improve cyber hygiene and detection capabilities are also noteworthy. For example, a recent joint advisory with the Coast Guard emphasized the need for better logging, event forwarding, and auditing to support threat hunting and faster detection.
CISA's IT modernization efforts, including full migration to the cloud by the end of fiscal year 2025, aim to enhance their operational capabilities and security posture, likely improving the speed and efficiency of vulnerability response workflows.
As of the end of August 2024, 7,791 critical infrastructure organizations were enrolled in CISA's vulnerability scanning service, a near doubling over a two-year period. Critical infrastructure organizations enrolled in this service have seen significant improvements. Over the two-year period of analysis, they reduced their average remediation times from 60 days to 30 days.
CISA's cybersecurity performance goals program includes 37 voluntary goals aimed at improving cybersecurity across critical infrastructure organizations. The agency established these goals in October 2022 and revised the set in March 2023.
The agency's review of its cyber hygiene program over the two-year period from Aug. 1, 2022 to Aug. 31, 2024 found improvements in six key cybersecurity performance goals, including mitigating known vulnerabilities.
However, challenges remain. Zero-days remain a significant challenge for defenders, as they comprised the majority of the most routinely exploited vulnerabilities last year. The number of ransomware attacks also continues to climb, with a 74% increase from 2022 to 2023, and 2024 on track to exceed the previous year's record.
CISA's latest report, published on Friday, highlights progress in decreasing critical infrastructure organizations' exposure to actively exploited CVEs and reducing remediation times. The report also underscores the importance of continued collaboration, both domestically and internationally, in addressing these ongoing challenges.
- CISA's efforts in the realm of cybersecurity extend to the CVE program, ensuring timely vulnerability disclosure and patching guidance, which includes high-risk vulnerabilities susceptible to ransomware attacks.
- The review of CISA's cyber hygiene program over a two-year period reported improvements in mitigating known vulnerabilities, such as those involving encryption, but zero-days, particularly those used in ransomware attacks, continue to pose a significant challenge.
- Enrolled in CISA's vulnerability scanning service, critical infrastructure organizations have witnessed notable improvements, decreasing their average remediation times from 60 days to 30 days, thanks in part to advanced data-and-cloud-computing technology and enhanced cybersecurity measures.
