CISA attributes minor security advancements to their Performance Goals initiative

CISA attributes minor security advancements to their Performance Goals initiative

The Cybersecurity and Infrastructure Security Agency (CISA) has made significant strides in reducing the exposure of critical infrastructure organizations to actively exploited vulnerabilities, as detailed in a recent report released by the agency.

Over the past two years, CISA has established 37 voluntary goals under its cybersecurity performance goals program, revised the set of goals in March 2023, and added 1,199 vulnerabilities to its known exploited vulnerabilities catalog. The report highlights improvements in six key cybersecurity performance goals, including mitigating known vulnerabilities.

One of the notable achievements is the reduction in remediation times for critical-severity and high-severity Common Vulnerabilities and Exposures (CVEs). Remediation times for critical-severity CVEs dropped by 50% and for high-severity CVEs by 25%. Critical infrastructure organizations enrolled in CISA's vulnerability scanning service have also seen a reduction in their average remediation times, with a decline from 60 days to 30 days over the two-year period of analysis.

Organizations enrolled in CISA's vulnerability scanning service have also shown a continued decline in the average number of known exploited vulnerabilities on their networks. Most entities display an average rate of 0.5 known exploited vulnerabilities.

CISA's efforts to help critical infrastructure organizations proactively monitor internet-connected systems for known exploited vulnerabilities are making a moderate impact, according to the agency. However, the report did not specify which critical infrastructure sectors showed the most improvement in reducing their average remediation times.

Partnerships with CISA have had the greatest positive impact on cyber hygiene in the healthcare and public health, water and wastewater systems, communications, and government services and facilities sectors. No information was given about the impact of CISA's efforts on the cyber hygiene of critical infrastructure organizations outside of the four sectors mentioned.

Despite these advancements, challenges remain. The number of ransomware attacks continues to increase, with global ransomware attacks jumping 74% from 2022 to 2023 and 2024 on track to exceed the previous year's record. Rapid remediation of known exploited vulnerabilities is a crucial line of defense against ransomware, which frequently leverages unpatched software flaws for initial access or lateral movement.

Zero-days remained a significant challenge for defenders, as they comprised the majority of the most routinely exploited vulnerabilities last year. Broader threats such as mobile spyware attacks and zero-click exploits further complicate ransomware defense, as attackers can use mobile endpoints as pivot points into critical systems.

CISA continues to focus on reducing remediation times for known exploited vulnerabilities by emphasizing rapid patching and proactive mitigation. The agency promotes an "assume breach, then verify" approach, urging organizations not only to patch but also to implement thorough incident response, backup validation, and continuous monitoring for indicators of compromise related to known flaws.

In the healthcare sector, the Healthcare Cybersecurity Act of 2025 strengthens collaboration between CISA and the Department of Health and Human Services to provide better resources, threat intelligence, and support to critical healthcare infrastructure without imposing new regulatory mandates. This approach aims to accelerate remediation by improving access to expertise and coordination rather than enforcing compliance.

CISA also faces organizational restructuring challenges that have temporarily slowed some initiatives, diminishing short-term progress in combating emerging threats such as mobile spyware. Nonetheless, these resets aim to ultimately strengthen cybersecurity posture across sectors, including critical infrastructure.

In conclusion, CISA has made measurable progress in tightening remediation timelines by urgently publicizing critical vulnerabilities, fostering sector-specific coordination, and promoting vigilant security practices. Their updated goals emphasize speed and comprehensive defense to mitigate ransomware risks effectively. Yet, organizational reforms and emerging complex threats temporarily temper these advances, underscoring an ongoing need for adaptive, coordinated response across critical infrastructure.

[1] CISA Report: Progress in Decreasing Critical Infrastructure Organizations' Exposure to Actively Exploited CVEs and Reducing Remediation Times, August 2024 [2] Healthcare Cybersecurity Act of 2025 [3] CISA Organizational Restructuring, 2024-2025

1. Despite CISA's success in decreasing the exposure of critical infrastructure organizations to actively exploited vulnerabilities and reducing remediation times, the increase in ransomware attacks poses a significant threat.
2. Rapid remediation of known exploited vulnerabilities is a critical defense against ransomware, which often exploits unpatched software flaws for initial access or lateral movement.
3. CISA's updated goals emphasize speed and comprehensive defense to effectively mitigate ransomware risks, promoting an "assume breach, then verify" approach that includes rapid patching, incident response, backup validation, and continuous monitoring for indicators of compromise related to known flaws.

Read also: