The Cybersecurity and Infrastructure Security Agency (CISA) has released a Jan. 10 report on adoption of the agency’s cross-sector cyber performance goals that finds four critical infrastructure sectors are seeing decreased cyber threats since putting the performance goals in place.
Released in late 2022, CISA’s Cybersecurity Performance Goals (CPGs) are a set of voluntary cybersecurity practices that critical infrastructure owners can take to protect against cyber threats. The practices align with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 1.0, which has five main functions: identify, protect, detect, respond, and recover.
Using data from its vulnerability scanning service which analyzed 7,791 critical infrastructure organizations across two years, the agency said the four critical infrastructure sectors most impacted by CPG adoption were healthcare and public health, water and wastewater systems, communications, and government services and facilitates.
All of those sectors benefiting from CPG adoption appear to have a “strong partnership and collaboration with CISA,” according to the report.
“Overall, CISA initiatives, programs, and products are directly influencing critical infrastructure sector service enrollments and adoption of CPGs,” the agency said. “General analysis of CISA data reveals a moderate impact of CPG adoption across critical infrastructure sectors,” it said.
The report found that exploitable services routinely monitored by CISA’s scanning service have been steadily decreasing since August 2022, going from 12 services per enrollee to about eight services in August, 2023.
Remediation times for addressing known exploited services vulnerability tickets (KEV) and secure sockets layer vulnerability (SSL) also decreased, being cut in half by 50 percent for critical KEVs, and 25 percent for high-severity KEVs. In 2024, SSL vulnerability-related tickets were resolved in under 50 days compared to 2022 when tickets took around 200 days to be resolved.
“Since publication of the CISA CPGs, entities enrolled in CISA’s Vulnerability Scanning service demonstrated a continued decline in the average number of KEVs on their networks,” said CISA. “This indicates that critical infrastructure organizations are successfully prioritizing the remediation of vulnerabilities based upon KEVs.”
Cyber hygiene service enrollment – frequently promoted by Federal officials to improve routine cyber practices – also increased by 201 percent compared to 2022, which the report said was “likely a result of CISA programs and initiatives, such as the CPGs, targeted risk analysis and intel products, and other efforts.”
Areas still needing improvement according to the cybersecurity agency include: a full implementation of the security.txt file – a file used to report security concerns – which organizations are currently slow to adopt; selecting appropriate security controls and understanding the sensitivity of data stored in the cloud; and addressing vulnerabilities in popular and widely used software platforms, such as PHP and Apache-related vulnerabilities.
With increased adoption of CPGs and other cybersecurity-related practices, CISA said notable improvements in threat mitigation and resolution will likely be seen.
“As CISA strengthens partnerships across all sectors, CPG adoption will continue to expand,” CISA wrote. “Additionally, as CISA continues to evolve CPG guidance, CPG adoption analytics will be more granular and apparent. Over time, this advancement will allow CISA to infer adoption of more CPGs.”
