CISA Wants Feedback on Its Vulnerability Assessments

Lawrence Wee/

The agency is looking to improve a program that lets critical infrastructure operators measure their digital security and see how they stack up against their counterparts.

The Homeland Security Department is looking for feedback on a program that lets critical infrastructure operators see how their cyber defenses stack up against one another.

The vulnerability assessment program, run by the Cybersecurity and Infrastructure Security Agency, also helps participants spot specific weaknesses in their digital infrastructure and develop strategies to close those gaps. 

After launching the initiative roughly a year ago, CISA wants to know whether industry finds it effective and how it might be improved. The agency will post a request for comment on the program to the Federal Register on Thursday.

The program is voluntary and available to organizations across all 16 critical infrastructure sectors. According to the post, the initiative costs the government roughly $2.2 million per year.

To assess participants’ security posture, CISA personnel collect “basic, high-level information” on their physical and cyber defenses. They then analyze the data to create two different scores, one that measures the strength of the group’s defenses and another that rates its resiliency under attack.

“This information allows an organization to see how it compares to other organizations within the same sector as well as allows them to see how adjusting certain aspects would change their score,” officials wrote in the post. “This allows the organization to then determine where best to allocate funding and perform other high-level decision-making processes pertaining to the security and resiliency of the organization.” 

The assessments also logged in an internal database that CISA uses to inform its own infrastructure protection policies and operations, according to the post. Participants are also asked to fill out questionnaires that the agency uses to improve the program.

Through the most recent solicitation, officials are specifically looking for comments on the program’s effectiveness, as well as measures that might improve its assessments or make it easier for participants to use. The public must submit feedback by Dec. 14.