The Cybersecurity and Infrastructure Security Agency (CISA) has reported a significant decrease in the number of known exploited vulnerabilities within organizations participating in its cybersecurity performance goals program. Since the program’s inception in October 2022, these organizations have seen a 20% reduction in such vulnerabilities.
CISA’s initiative, aimed at small- and medium-sized organizations, provides a voluntary framework for enhancing security measures. The agency’s vulnerability scanning service, which had 3,500 organizations enrolled before April 1, 2022, has witnessed a nearly 70% increase in participation, now boasting over 5,900 members.
The agency’s Known Exploited Vulnerabilities Catalog, which tracks security flaws actively used in cyberattacks, has shown a downward trend in the average number of vulnerabilities per organization. From approximately 0.58 per entity in April 2022, the figure dropped to 0.49 in October and further to 0.30 by June of the following year.
While the progress is promising, Brian Fox, co-founder and CTO of Sonatype, warns of potential selection bias among the organizations utilizing the scanning service. He emphasizes the broader issue of market-wide inattention to cybersecurity, citing that 30% of Log4j downloads are still of the compromised versions, two years post-disclosure. The data suggests a need for continued vigilance and adoption of cybersecurity best practices across the industry.