CISA Data Shows Federal Civilian Agencies Faster Than Industry at Patching


The nation’s risk adviser continues to expand its role in what it’s dubbed the year of vulnerability management.

An analysis of data collected by the Cybersecurity and Infrastructure Security Agency shows civilian government agencies are doing better than private sector owners and operators of critical infrastructure when it comes to a major indicator of adherence to basic cybersecurity practices.

“For the federal civilian executive branch, we’ve seen patching timeframes consistently hold at 15 days for critical vulnerabilities and 30 days for high,” said Boyden Rohner, associate director of vulnerability management at CISA. “However, outside of the federal civilian executive branch, in other critical infrastructures, the timeframes to patch have been largely longer.” 

Rohner used data gathered from entities subscribing to CISA services such as incident response and vulnerability assessment to share insights and predictions for 2020 on Wednesday as part of CISA’s third annual cybersecurity summit. 

CISA and the Office of Management and Budget recently finalized instructions for federal agencies to lay out the welcome mat for security researchers who can identify vulnerabilities in their systems. And the agency is establishing a platform it can use to hold agencies accountable to expected patching times for vulnerabilities brought to their attention. But the majority of the nation’s critical infrastructure—about 85% according to the Government Accountability Office— is privately controlled.  

Rohner encouraged organizations to continue targeting the low-hanging fruit of known vulnerabilities in their management of risk.

The bad news, she said, is that “33 % of critical infrastructure operates a potentially risky service exposed to the internet and 52% of critical infrastructure has a vulnerability that has a known exploit available.” But there is also good news. “We’re seeing a reduction of actionable, exploitable vulnerabilities,” Rohner said. “This means entities are prioritizing their vulnerability management activities effectively.” 

Following an announcement Wednesday, CISA will now play a greater role in determining what even counts as a vulnerability within some areas of the private sector. The agency has been approved by the Common Vulnerabilities and Exposures program maintained by the MITRE corporation to act as a supervisory, or “top-level,” CVE numbering authority for industrial control systems and medical devices.

“This designation as a Top-Level Root enables the rapid identification and resolution of issues specific to those environments,” said Chris Levendis, CVE Program Board Member and a principal systems engineer at MITRE. “This is consistent with the CVE Program’s federated growth strategy to scale the CVE Program in a sustainable, stakeholder driven way.”

CISA will initially contribute to and oversee the vulnerability identification activities of seven entities, including Siemens and Johnson Controls.

“Continuing to encourage public and transparent disclosure of industrial control systems and medical device vulnerabilities is a critical mission for CISA,” said Bryan Ware, assistant director for cybersecurity at the agency. “This expansion will encourage more vendors to participate in the CVE Program and allow CISA to better support stakeholders as they become more engaged.”

But identifying vulnerabilities is one thing, patching them is another. Rohner stressed that entities should not lose focus on basic security needs, especially in an environment of increased remote work. 

“The basics plagued us before the pandemic began and it’s going to be even more important to address now,” she said.