Agencies See Sharp Decrease in Known Exploited Vulnerabilities on Federal Networks


A catalog of exploited vulnerabilities managed by the largest U.S. cybersecurity agency is having a significant effect on the security of federal civilian agencies, according to testimony by a senior official before Congress.

The Cybersecurity and Infrastructure Security Agency (CISA) conducted its Catalog of Known Exploited Vulnerabilities (KEV) For more than two years and it quickly became the go to repository for vulnerabilities actively exploited by hackers around the world.

Any vulnerabilities added to the catalog must be fixed by all federal civilian agencies within three weeks.

In testimony this week at a House hearing, Eric Goldstein, CISA’s executive assistant director for cybersecurity, shared several statistics showing that the catalog had a demonstrable effect on the cybersecurity of more than 100 civilian agencies federal authorities of the United States government.

“For the first time, we have real-time visibility into vulnerabilities and misconfigurations across 102 agencies, enabling rapid remediation before intrusions occur – including directing the remediation of more than 12 million known exploited vulnerabilities (KEVs) in the last two years,” he said. .

“CISA’s efforts enable FCEB agencies to deny malicious actors the ability to access federal networks and reduce the risk of compromise due to internet-accessible KEVs that frequently compromise public and private entities.

Federal civilian agencies have corrected more than 7 million KEV findings this calendar year alone, Goldstein said. Agencies showed a 72% decrease in the percentage of KEVs exposed for 45 days or more.

Goldstein noted that between FY 2022 and 2023, CISA observed a 79% reduction in the attack surface of federal civilian agencies due to internet-enabled KEVs, despite an increase in entries in the KEV catalog over of this period.

The average resolution time for KEVs is on average nine days faster than for non-KEVs, and 36 days faster for internet-connected KEVs, it added.

“Recognizing that every agency must prioritize its limited cybersecurity resources, we maintain the KEV Catalog as the authoritative source of vulnerabilities that have been exploited in the wild, sending a clear message to all organizations to give prioritizing remediation efforts on the subset of vulnerabilities that are causing the vulnerabilities. immediate harm based on adversary activity,” he explained.

In addition to outlining a series of CISA efforts to protect federal agencies, Goldstein highlighted several future initiatives the agency hopes to embark on.

CISA plans to find technology solutions for a threat intelligence platform that will allow them to integrate partners into trusted enclaves to openly exchange threat intelligence, as well as develop a cyber playbook. playbook to improve the response and coordination of federal civilian agencies supporting each other during cyber events.

They also want to expand the services they offer to federal agencies that are scalable, cost-effective, and proven to reduce known security risks.

“We will strengthen our ability to provide agencies with practical support, including through our Federal Business Improvement Teams, to help agencies accelerate progress toward implementing Zero Trust architectures and implement implements our guidelines,” Goldstein said.

“Finally, at a strategic level, we will continue to work to defend the FCEB enterprise as a cohesive and interdependent organization, where agencies retain responsibility and authority in managing their own systems while centralized investments respond effectively to inter-agency risks. »

During the hearing, Rep. Eric Swalwell (D-CA) asked how CISA would fare in the event of a government shutdown, noting that the United States is weeks away from running out of funding.

“A significant reduction in our budget would be catastrophic. We would not even be able to continue to maintain some of the core program functions, like the federal Continuous Diagnostics and Mitigation (CDM) Dashboard, like our shared services,” Goldstein told Congress.

“Right now, we are at the point where we have reasonable confidence in our visibility into the risks facing federal agencies. We would not be able to maintain this visibility with a significant budget reduction and our adversaries would unequivocally exploit these gaps.”

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment