Blog

Key Cyber Initiatives from CISA: KEV Catalog, CPGs, and PRNI

Released

Jeff Greene, Executive Assistant Director for Cybersecurity

Related topics:
Cybersecurity Best Practices

In an era of increasingly sophisticated cyber threats, securing critical infrastructure has become a cornerstone of national security. CISA’s mission is to drive collaborative, proactive efforts to reduce risk and strengthen resilience for our nation’s critical infrastructure, federal civilian branch assets, and the private sector more broadly. While these efforts are many and varied, I’d like to highlight three particularly transformative initiatives—the Known Exploited Vulnerabilities (KEV) Catalog, Cybersecurity Performance Goals (CPGs), and the Pre-Ransomware Notification Initiative (PRNI)—to illustrate how we can collectively work to reshape the cybersecurity landscape.

Known Exploited Vulnerabilities Catalog

In November 2021, CISA introduced the KEV Catalog to address a critical challenge: the growing backlog of unpatched vulnerabilities being actively exploited by threat actors. Amid rising concerns about the risk to Federal Civilian Executive Branch (FCEB) networks, CISA established the KEV Catalog to help prioritize efforts to remediate software vulnerabilities based on whether such vulnerabilities are being actively exploited by threat actors. While a requirement to remediate KEV Catalog-listed vulnerabilities is only binding on FCEB agencies, the KEV Catalog was immediately a useful resource for all organizations, including non-federal organizations large and small. 

  • Comprehensive Repository: The KEV Catalog now includes over 1,200 vulnerabilities, representing a robust and growing knowledge base.
  • Federal Adoption: BOD 22-01 mandates FCEB agencies to remediate KEV-listed vulnerabilities within strict timeframes, creating a cascading effect that has influenced private sector practices to proactively pursue remediation.
  • Accelerated Remediation: Organizations address KEV vulnerabilities 3.5 times faster than non-KEV vulnerabilities. FCEB agencies alone have remediated over 12 million KEV findings between 2022 and 2023.
  • Sector Engagement: SLTT (State, Local, Tribal, and Territorial) governments using CISA’s free vulnerability scanning services saw a 31% reduction in KEVs exposed on their networks for periods longer than 45 days.
  • Global Collaboration: The KEV Catalog’s public and accessible nature has encouraged adoption among international partners, enhancing collective resilience.

 

Cybersecurity Performance Goals

Introduced in October 2022, CISA established the Cybersecurity Performance Goals to translate broad guidance into specific, actionable, and measurable practices. Designed in partnership with the National Institute of Standards and Technology (NIST) and intended to serve as a simplified extract of NIST’s comprehensive Cybersecurity Framework (CSF), the CPGs aim to provide practical benchmarks tailored to critical infrastructure sectors. The initiative acknowledges the resource constraints faced by many organizations, particularly small and medium-sized businesses, many of which form elements of the complex supply chains relied upon by critical infrastructure entities. 

  • Cross-Sector Guidance: The initial release of CPGs provided a baseline framework applicable across the 16 critical infrastructure sectors, focusing on achievable outcomes.
  • Sector-Specific Evolution: In January 2023, the Department of Health and Human Services (HHS) introduced healthcare-specific CPGs, followed by tailored guidance for the Chemical, Energy, and Information Technology sectors usually in coordination with each sector’s own Sector Risk Management Agency (SRMA). Other sectors are working on their own specific CPGs as well.
  • SME Inclusion: Recognizing unique challenges, the CPGs include simplified recommendations for smaller organizations to enhance their cybersecurity without overwhelming resources.
  • Stakeholder Feedback Integration: CISA released updated CPGs in March 2023, incorporating industry insights to refine and expand their applicability.
  • Broad Adoption: Through partnerships with industry associations, regulatory bodies, and compliance frameworks, CISA has promoted the CPGs as a critical component of third-party risk assessments and best practices.

 

Pre-Ransomware Notification Initiative

Ransomware attacks have had devastating repercussions for businesses large and small around the country and the world. In response, CISA launched the PRNI in March 2023 to enable a shift from reactive to proactive defense, partnering with researchers around the globe to provide early warning to organizations to help them disrupt ransomware campaigns in their nascent stages, likely saving them hundreds of millions to billions of dollars in recovery costs.

  • Proactive Alerts: PRNI has issued over 3,300 notifications since its inception, with over 2,100 alerts conducted in 2024 alone.
  • Targeted Impact: Hundreds of notifications have been sent to high-risk sectors, including K-12 schools, hospitals, and SLTT entities, helping them avoid encryption and data loss.
  • Success Stories: Early alerts prevented ransomware encryption in at least 154 healthcare organizations in 2023, safeguarding critical patient data and saving millions in potential costs.
  • Streamlined Process: PRNI’s efficient notification system ensures timely communication, allowing organizations to take swift action.
  • Global Outreach: Collaboration with international partners has extended PRNI’s benefits to allied nations, strengthening collective defenses against ransomware.

 

Broader Impact and the Path Forward

The KEV Catalog, CPGs, and PRNI exemplify CISA’s commitment to fostering collaboration across public and private sectors. These initiatives have helped to reshape cybersecurity by prioritizing proactive defense, measurable outcomes, and resource-efficient solutions. They play a significant role in our nation’s cyber defense and their influence will continue to grow:

  • Enhanced Public-Private Partnerships: CISA’s emphasis on shared responsibility has galvanized critical infrastructure stakeholders to take action, and resources like the KEV Catalog, CPGs, and PRNI make engagement easier and improved resilience more accessible.
  • Quantifiable Risk Reduction: Tangible results via metrics such as faster patch times for KEVs and disruptions of ransomware campaigns demonstrate the impact of strong cyber resilience and encourage slower adopters to elevate their cybersecurity efforts.
  • Global Leadership: By sharing best practices and fostering international cooperation, CISA is developing a robust, active cyber community basted on partnership and information sharing, which will elevate everyone’s cyber resilience.

While challenges persist and new threats will always emerge, the successes of the KEV Catalog, CPGs, and PRNI underscore the importance of proactive, collaborative approaches to cybersecurity. Looking ahead, these initiatives can serve as a blueprint for navigating the complex and interconnected digital landscape of the future.

Related Articles