CISA: Agencies seeing steep decrease in known exploited vulnerabilities on federal networks

Siva Ramakrishnan
A catalog of exploited vulnerabilities run by the top cybersecurity agency in the U.S. is having a significant effect on the security of federal civilian agencies, according to Congressional testimony from a senior official.

A catalog of exploited vulnerabilities run by the top cybersecurity agency in the U.S. is having a significant effect on the security of federal civilian agencies, according to Congressional testimony from a senior official.

The Cybersecurity and Infrastructure Security Agency (CISA) has run its Known Exploited Vulnerabilities (KEV) catalog for more than two years and it has quickly become the go-to repository for vulnerabilities actively being exploited by hackers around the world.

Any vulnerability added to the catalog must be addressed by all federal civilian agencies within a three-week timeframe.

In testimony this week during a House of Representatives hearing, CISA Executive Assistant Director for Cybersecurity Eric Goldstein shared several statistics showing the catalog was having a demonstrable effect on the cybersecurity of the U.S. government’s more than 100 federal civilian agencies.

“For the first time, we have real-time visibility into vulnerabilities and misconfigurations across 102 agencies, allowing timely remediation before intrusions occur – including directing the remediation of over 12 million Known Exploited Vulnerabilities (KEV) over the past two years,” he said.

“CISA’s efforts are enabling FCEB agencies to deny threat actors opportunities to gain access to federal networks and reduce risk of compromise due to internet accessible KEVs that frequently compromise public and private entities.”

Federal civilian agencies have remediated more than 7 million KEV findings this calendar year alone, Goldstein said. Agencies have shown a 72% decrease in the percentage of KEVs exposed for 45 or more days.

Goldstein noted that from fiscal year 2022 to 2023, CISA observed a 79% reduction in the federal civilian agency attack surface due to internet-accessible KEVs, despite an increase in KEV catalog entries during this timeframe.

The mean-time-to-remediate KEVs is an average of nine days faster than for non-KEVs, and 36 days faster for internet-facing KEVs, he added.

“Recognizing that every agency must prioritize their finite cybersecurity resources, we maintain the KEV catalog as the authoritative source of vulnerabilities that have been exploited in the wild, sending a clear message to all organizations to prioritize remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity,” he explained.

In addition to outlining a range of CISA efforts to protect federal agencies, Goldstein highlighted several future initiatives the agency hopes to embark on.

CISA has plans to find technology solutions for a threat intelligence platform that allows them to onboard partners into trusted enclaves to openly exchange threat information, as well as building out a cyber playbook to enhance mutually supportive federal civilian agency response and coordination during cyber events.

They also want to expand the services they offer to federal agencies that are scalable, cost effective and are proven to drive down known security risks.

“We will bolster our ability and capacity to provide agencies with hands-on support, including through our Federal Enterprise Improvement Teams, to help agencies accelerate progress toward implementing Zero Trust architectures and implement our directives,” Goldstein said.

“Finally, at a strategic level, we will continue working to defend the FCEB enterprise as a cohesive, interdependent organization, where agencies maintain their responsibility and authority to manage their own systems while centralized investments effectively address cross-agency risks.”

During the hearing, Rep. Eric Swalwell (D-CA) asked how CISA would fare in the event of a government shutdown, noting that the U.S. is just weeks away from running out of funding.

“A significant cut to our budget would be catastrophic. We would not be able to continue even sustaining some of the core functions across programs, like [Continuous Diagnostics and Mitigation (CDM) federal dashboard], like our shared services,” Goldstein told Congress.

“Right now, we are at the point where we have reasonable confidence in our visibility into risks facing federal agencies. We would not be able to sustain that visibility with a significant budget cut and our adversaries would unequivocally exploit those gaps.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

VMware warns of critical vulnerability affecting vCenter Server product

Next Post

France accuses Russian state hackers of targeting government systems, universities, think tanks

Related Posts

Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack

The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country's Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a "
Read More

Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks

Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. "The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners," Trustwave said. "Notably, despite the binary's unknown file
Read More