Blog

CISA’s Vulnerability Management goes “Big” on Interns and the Results are Staggering!

Released

Sandy Radesky, Associate Director, Vulnerability Management and Wendell Jose, Senior Program Manager, Student Programs 

Related topics:
Cybersecurity Best Practices

This year, we had an outstanding summer intern program and felt compelled to share our experiences and results. Our goal is to not only celebrate our team’s ingenuity and dedication but also to inspire others in the federal government to envision the possibilities of adopting a similar approach. We also hope this message informs and inspires other students, the future cyber leaders, to join CISA or similar organizations within the federal government.

The Vulnerability Management subdivision focuses on proactive vulnerability discovery and mitigation, technical and cybersecurity maturity-based assessments, and operational technology (OT) and software security. This unique and broad mission to bolster America’s cybersecurity posture presents challenges that need diverse insights and often additional human resources. 

To tackle these challenges, we lean into support from collaborations and partnerships with industry, Federally Funded Research and Development Center (FFRDC), and academia. In addition, we prioritize connecting with highly creative problem-solving people as early in their career paths as possible to include our intern selections. 

In January, our journey to identify prospective interns began at the Scholarship for Service (SFS) annual conference hosted by Office of Personnel Management (OPM ) in DC. Our team of experts set high expectations to spot diverse and motivated top-talent! As summer began, 17 exceptional interns from the SFS Program, Pathways, and the CISA Neurodiverse Federal Workforce (NFW) Initiative joined our team.

We assigned these interns to tackle real, challenging problems across the spectrum of our mission space. These projects included ransomware, vulnerability disclosure, open-source intelligence research, security researcher engagement, penetration testing automation, knowledge management, operations, and vulnerability analysis and discovery.

We are thankful to the following interns for their contributions to our mission: 

  • Elisabeth S., a Cadet at The Citadel, Military College of South Carolina, developed ransomware vulnerability guidance for K-12 stakeholders, enhancing awareness of critical vulnerabilities and reducing the time to mitigate vulnerabilities prior to ransomware encryption. 
  • Karen E., from Old Dominion University, developed a strategy that reduced the time to process vulnerability disclosure information by 30%, with research that analyzed 7,100 vulnerabilities, and 2,546 published advisories.
  • Aston P., from Michigan Technological University, developed automations for the Risk and Vulnerability Assessment Reporting Engine reducing the need for manual reporting activities and saving a significant amount of time on assessments.
  • Fanta D., from University of Massachusetts, analyzed assessment surveys evaluate how often the customers implemented CISA’s risk reduction recommendations.
  • Gregory W., from Old Dominion University, designed a Search Center that allows employees to search the VM Information Hub and related sites, which increases efficiency across the subdivision when looking for workforce and mission-related information.
  • Sophia H., from Kansas State University, performed market research, capability, and legal analysis to enhance VM operations through the integration of open-source information and tools. 
  • Laura S., from Fordham University, developed an automated tool using Python to parse scanning data, directly update vulnerability findings and optimizing assessment completion times.
  • Lucas S., from Oregon State University, developed automated scripts to monitor the data quality and completeness trends for CVEs. Through his analysis of security.txt file adoption, he identified thousands of sites and leveraged this critical technology, to uncover security.txt information used to analyze cybersecurity maturity.
  • Nia P., from Rochester Institute of Technology and Anthony Bartuch, from Marymount University teamed up and enhanced the Micro Evaluation Security Assessment (MESA) tool. This is a new tool being developed that enables assessment execution scaling. These efforts enhanced the tool's usability and automation, improving our success criteria for regional transition. 
  • Elijah G., from Old Dominion University, used Packer, Ansible, and Terraform to automate the creation of virtual machines. His development efforts reduced the time required to patch the old infrastructure and automate the creation of new, and fully secured infrastructure used to support technical assessments.
  • Hannah B., from Old Dominion University, enhanced vulnerability open-source information gathering and security researcher partnership efforts. Her analysis enabled VM to implement an operationally dynamic communication method with valuable security researchers.
  • Anamaria Alvarez C., from Polytechnic University of Puerto Rico, created training materials on various platforms for vulnerability hunting. She also developed Python scripts to search scan data files and enhance vulnerability prevalence analysis.
  • Paul B. focused on developing user experience testing to enhance VM’s Information Hub usability. He also supported VM’s annual records inventory data exercise.
  • Robert B., from the New Jersey Institute of Technology designed a tool to monitor changes in externally facing web applications for federal agencies. This tool helped the Federal Attack Surface Testing (FAST) service prioritize operational testing.
  • George B., from Louisiana State University automated the RustPacker and PythonLoader family of phishing payloads. His tools significantly simplified the assessment teams' work, saving hours of manual effort for each assessment.
  • Makiyah D., from the Georgia Institute of Technology played a key role in the VM Assessment Modernization Team. She contributed to developing a proof of concept that aimed to modernize High Value Asset (HVA) and Risk & Vulnerability Assessments (RVA).

As it did for us, these achievements serve as a reminder of the significant impact a single individual can make. However, when integrated into a team, “together everyone achieves more.” If you’re a student, intern, or new graduate, you have valuable skills and talents that our nation needs! 

CISA’s overall involvement in connecting with students and recent graduates has us participating in over 25 different programs, including six dedicated solely to internships. In fiscal year 2024, more than 78 interns from diverse backgrounds and institutions, including the United States Military Academy, U.S. Coast Guard Academy, and Stanford University, served across the agency. We’ve noticed a rising interest in policy-focused students, with strong participation from law schools seeking vital cybersecurity experience to prepare future cyber policymakers. CISA also recently formed an agreement with Harvard University that allows their students to participate in a summer internship rotation in 2025. This growing interest signals a positive trend and indicates that CISA will continue to lead and benefit from the development of future cyber leaders in government!

For more information about how to participate in CISA’s internship program, please visit this site: https://www.cisa.gov/students-recent-graduates-employment-opportunities

Related Articles