Skip to main content
close search
site logo
Dive Brief

CISA pins modest security gains to performance goals program

The federal agency said the number of critical infrastructure organizations enrolled in its vulnerability scanning program nearly doubled since 2022.

Published Jan. 14, 2025
Matt Kapko's headshot
Senior Reporter
CISA, cybersecurity, agency
Photo illustration by Danielle Ternes/Cybersecurity Dive; photograph by yucelyilmaz via Getty Images

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency trumpeted progress across its efforts to decrease critical infrastructure organization’s exposure to actively exploited CVEs and cut remediation times in a Friday report.
  • The number of critical infrastructure organizations enrolled in CISA’s vulnerability scanning service nearly doubled over a two-year period to 7,791 organizations at the end of August 2024. CISA added 1,199 vulnerabilities to its known exploited vulnerabilities catalog through the same period.
  • During the two-year period of analysis, critical infrastructure organizations enrolled in CISA’s vulnerability scanning service reduced average remediation times from 60 days to 30 days.

Dive Insight:

Federal cyber authorities’ effort to help critical infrastructure organizations proactively monitor internet-connected systems for known exploited vulnerabilities is making a moderate impact, CISA said.

The agency’s review of increased enrollment in its cyber hygiene program across the two-year period from Aug. 1, 2022 to Aug. 31, 2024 found improvements in six key cybersecurity performance goals, including mitigating known vulnerabilities. CISA said it also made progress toward stopping exploitable services from appearing on the internet, strengthening encryption, limiting OT connections on the public internet, deploying security.txt files and email security.

CISA established 37 voluntary goals under its cybersecurity performance goals program in October 2022. The agency revised the set of goals in March 2023.

Remediation times and the number of tickets filed by critical infrastructure organizations for known exploited vulnerabilities over the two-year period dropped 50% for critical-severity CVEs and 25% for high-severity CVEs.

Organizations enrolled in CISA’s vulnerability scanning service “demonstrated a continued decline in the average number of known exploited vulnerabilities on their networks,” the report found. During the period of analysis, most entities displayed an average rate of 0.5 known exploited vulnerabilities present in their systems.

While federal efforts to increase the defensive stature and readiness of critical infrastructure organizations are showing gains, the number of ransomware attacks continues to climb.

Global ransomware attacks jumped 74% from 2022 to 2023, and 2024 was on track to exceed the previous year’s record, officials said in October.

Zero-days also remain a significant challenge for defenders, as they comprised the majority of the most routinely exploited vulnerabilities last year.

CISA said four critical infrastructure sectors — healthcare and public health, water and wastewater systems, communications, and government services and facilities — experienced the greatest positive impact on cyber hygiene from partnerships with CISA.

Editors' picks

Company Announcements

View all | Post a press release
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.