Advertisement

Nominations can be submitted for the 2025 CyberScoop 50 awards!

Click here!

CISA report touts cyber hygiene enrollment surge for critical infrastructure orgs

The cyber agency said that surge has fueled “a moderate impact” in CI sectors meeting its cybersecurity performance goals.

By

Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)

The Cybersecurity and Infrastructure Security Agency has seen a surge in its Cyber Hygiene (CyHy) service enrollment from critical infrastructure organizations over a two-year period, with the communications sector representing the biggest jump.

In a report released Friday, CISA said an analysis of the 7,791 critical infrastructure organizations enrolled in the agency’s vulnerability scanning service from Aug. 1, 2022, through Aug. 31, 2024, showed a 201% increase in its CyHy enrollment, led by the communications (300%), emergency services (268%), critical manufacturing (243%) and water and wastewater systems (242%) industries.

As a result of this enrollment boom, CISA said it has found improvements across its six cybersecurity performance goals, or CPGs: mitigating known vulnerabilities, no exploitable services on the internet, strong and agile encryption, limit OT connections on the public internet, deploy a security.txt file, and email security.

One area of improvement cited by CISA is a steady decrease in the number of exploitable services routinely monitored by the agency’s vulnerability scanning, from 12 services per CyHy enrollee in August 2022 to roughly eight apiece two years later.

Advertisement

The number of known exploited vulnerability tickets also declined over those two years, with critical-severity KEVs falling 50% and high-severity KEVs dropping by 25%. Remediation times for Secure Sockets Layer (SSL) vulnerabilities fell as well, with tickets resolved in 200 or so days as of August 2022 before decreasing to less than 50 days months later. 

Also highlighted in CISA’s report was data on the highest occurrences of operational technology protocols exposed to the public internet, drawing particular attention to the 63% exposure rate found in the government services and facilities sector. The IT (10%), energy (10%), health care (5%) and financial services (4%) industries were also called out. 

“Overall, CISA initiatives, programs, and products are directly influencing critical infrastructure sector service enrollments and adoption of CPGs,” the report concluded. “General analysis of CISA data reveals a moderate impact of CPG adoption across critical infrastructure sectors.”

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com.

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Latest Podcasts

Emily Crose on the government’s long history with hackers

Phil Venables on the State of the CISO

Vik Phatak on the inherent issues in native cloud firewalls

Addressing vulnerabilities posed by unmanaged devices within the network

Government

Technology

Threats

Geopolitics