CISA: Agencies seeing steep decrease in known exploited vulnerabilities on federal networks

A catalog of exploited vulnerabilities run by the top cybersecurity agency in the U.S. is having a significant effect on the security of federal civilian agencies, according to Congressional testimony from a senior official.

The Cybersecurity and Infrastructure Security Agency (CISA) has run its Known Exploited Vulnerabilities (KEV) catalog for more than two years and it has quickly become the go-to repository for vulnerabilities actively being exploited by hackers around the world.

Any vulnerability added to the catalog must be addressed by all federal civilian agencies within a three-week timeframe.

In testimony this week during a House of Representatives hearing, CISA Executive Assistant Director for Cybersecurity Eric Goldstein shared several statistics showing the catalog was having a demonstrable effect on the cybersecurity of the U.S. government’s more than 100 federal civilian agencies.

“For the first time, we have real-time visibility into vulnerabilities and misconfigurations across 102 agencies, allowing timely remediation before intrusions occur – including directing the remediation of over 12 million Known Exploited Vulnerabilities (KEV) over the past two years,” he said.

“CISA’s efforts are enabling FCEB agencies to deny threat actors opportunities to gain access to federal networks and reduce risk of compromise due to internet accessible KEVs that frequently compromise public and private entities.”

Federal civilian agencies have remediated more than 7 million KEV findings this calendar year alone, Goldstein said. Agencies have shown a 72% decrease in the percentage of KEVs exposed for 45 or more days.

Goldstein noted that from fiscal year 2022 to 2023, CISA observed a 79% reduction in the federal civilian agency attack surface due to internet-accessible KEVs, despite an increase in KEV catalog entries during this timeframe.

The mean-time-to-remediate KEVs is an average of nine days faster than for non-KEVs, and 36 days faster for internet-facing KEVs, he added.

“Recognizing that every agency must prioritize their finite cybersecurity resources, we maintain the KEV catalog as the authoritative source of vulnerabilities that have been exploited in the wild, sending a clear message to all organizations to prioritize remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity,” he explained.

In addition to outlining a range of CISA efforts to protect federal agencies, Goldstein highlighted several future initiatives the agency hopes to embark on.

CISA has plans to find technology solutions for a threat intelligence platform that allows them to onboard partners into trusted enclaves to openly exchange threat information, as well as building out a cyber playbook to enhance mutually supportive federal civilian agency response and coordination during cyber events.

They also want to expand the services they offer to federal agencies that are scalable, cost effective and are proven to drive down known security risks.

“We will bolster our ability and capacity to provide agencies with hands-on support, including through our Federal Enterprise Improvement Teams, to help agencies accelerate progress toward implementing Zero Trust architectures and implement our directives,” Goldstein said.

“Finally, at a strategic level, we will continue working to defend the FCEB enterprise as a cohesive, interdependent organization, where agencies maintain their responsibility and authority to manage their own systems while centralized investments effectively address cross-agency risks.”

During the hearing, Rep. Eric Swalwell (D-CA) asked how CISA would fare in the event of a government shutdown, noting that the U.S. is just weeks away from running out of funding.

“A significant cut to our budget would be catastrophic. We would not be able to continue even sustaining some of the core functions across programs, like [Continuous Diagnostics and Mitigation (CDM) federal dashboard], like our shared services,” Goldstein told Congress.

“Right now, we are at the point where we have reasonable confidence in our visibility into risks facing federal agencies. We would not be able to sustain that visibility with a significant budget cut and our adversaries would unequivocally exploit those gaps.”