The Cybersecurity and Infrastructure Security Agency (CISA) highlighted advancements related to two Cybersecurity Performance Goals (CPGs) it first introduced in October 2022.

These relate to Mitigating Known Vulnerabilities (CPG Goal 1.E) and No Exploitable Services on the Internet (CPG Goal 2.W)—across approximately 3,500 organizations enrolled in the Vulnerability Scanning service.

A consistent reduction of almost 20% in the average number of known exploited vulnerabilities (KEVs) was observed in networks, aligning with the action recommended in CPGs for patching or mitigating KEVs.

Furthermore, CISA’s analysis detected modest reductions (1% or less) in exploitable services such as remote desktop protocol (RDP) and remote procedure call (RPC), crucial entry points for threat actors.

Organizations using CISA’s vulnerability scanning showcased ongoing progress in reducing vulnerability exposure, with a 69% increase in enrollment (now over 5,900 participating organizations). Newly enrolled entities managed a 20% vulnerability decrease within their initial three months of vulnerability scanning.

Although these developments demonstrated positive strides, the CISA acknowledged the need for further improvement.

Plans involve continuous analysis and expansion of tracking methods to identify areas requiring attention, and CISA intends to introduce new services and capabilities to simplify CPG utilization and monitor national and sector-specific progress.

The tools provided by CISA are available free to all federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.

Even without the use of the services and tools, organizations are advised to adopt similar measurements against these goals as well as benchmarking against other industry best practices.

Ken Dunham, director of cyber threat for Qualys, said the ongoing risk of ransomware and similar high-impact attacks, coupled with transformative zero-trust initiatives to lower cybersecurity risk with improved prioritization, has greatly assisted organizations in knowing when and where to prioritize limited resources to reduce risk.

“CISA has selected high-level goals to help prioritize the industry towards vulnerability management areas of focus to reduce risk for organizations,” he said. “Organizations value leadership, direction and feedback from trusted organizations like CISA.”

He pointed out that often, these organizations will use their areas of focus and feedback as leverage within their own board rooms to further evangelize and mature areas of focus and maturity in operations.

“Focusing upon a few select goals and areas of focus to help reduce risk is a solid approach, especially helpful for organizations that need additional assistance and focus to know what to prioritize and where to focus in their vulnerability risk management,” Dunham added.

Claude Mandy, chief evangelist for Symmetry Systems, said the biggest drivers behind these improvements are the combination of visibility and education that CISA has provided through the offering of free cybersecurity tools and services, such as the Vulnerability Scanning Service.

“It is great to see both the demonstrable reduction in these vulnerabilities and exploitable services and the increase in entities enrolled in these services,” he says. “Unfortunately, it signifies that for a large number of organizations, they were likely blind to the number of vulnerabilities they had until they enrolled in this service.”

From his perspective, investment in cybersecurity basics is a prerequisite for organizations with an online presence.

He pointed out that most effective security functions measure not only the backlog of vulnerabilities but also their speed in remediating known vulnerabilities.

“Increasingly targeted organizations are under pressure to patch newly identified vulnerabilities before discovery and exploitation by attackers,” Mandy explained. “Given the volume of vulnerabilities, they are continuously looking for ways to prioritize which vulnerabilities to address first.”

He noted that the most critical are obviously vulnerabilities with known exploits, which CISA has “rightly” prioritized, but they also consider the sensitivity, criticality and public accessibility of systems and data.