This is the mobile-friendly web version of the original article.

CISA Analysis: FY2020 Risk and Vulnerability Assessments

Publication: July 2021

DISCLAIMER: This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.cisa.gov/tlp/.

1. BACKGROUND

BACKGROUND

Each year, the Cybersecurity and Infrastructure Security Agency (CISA) conducts Risk and Vulnerability Assessments (RVAs) of Federal Civilian Executive Branch (FCEB), Critical Infrastructure (CI), and State, Local, Tribal, and Territorial (SLTT) stakeholders. An RVA assesses an organization’s overall effectiveness in identifying and addressing network vulnerabilities. In Fiscal Year 2020 (FY20), CISA conducted 37 RVA assessments of multiple stakeholders across the various sectors and aligned the results to the MITRE ATT&CK® framework. The goal of the RVA analysis is to develop effective strategies that positively impact the security posture of FCEB, SLTT, and CI stakeholders.

During an RVA, CISA collects data through onsite assessments and combines it with national threat and vulnerability information to provide an organization with actionable remediation recommendations prioritized by risk. CISA designed RVAs to identify vulnerabilities that adversaries could exploit to compromise network security controls. An RVA may incorporate the following methodologies:

• Scenario-based network penetration testing
• Web application testing
• Social engineering testing
• Wireless testing
• Configuration reviews of servers and databases
• Detection and response capability evaluation

After completing the RVA, CISA provides the organization a final report that includes business executive recommendations, specific findings, potential mitigations, and technical attack path details.

CISA’s RVA teams leverage the MITRE ATT&CK framework, which is a “globally accessible knowledge base of adversary tactics and techniques based on real-world observations.”¹ The framework aims to build a community-driven knowledge base—comprising known tactics, techniques, and procedures (TTPs) of threat actors—to help develop threat models and facilitate vulnerability mitigation efforts. The framework includes 14 distinct attack paths that cyber adversaries use to obtain and maintain unauthorized access to a network/system.

¹ https://us-cert.cisa.gov/best-practices-mitre-attckr-mapping