PUBLICATION

Cyber Assessments

CISA conducts risk and vulnerability assessments (RVA) at federal agencies, private organizations, and state, local, tribal, and territorial governments that identify vulnerabilities that adversaries could potentially exploit to compromise security controls. At the conclusion of our assessment, we provide the customer with the data along with tailored risk analysis and ways they can improve their cybersecurity.  

Annually, CISA publishes a report of findings from RVAs conducted each fiscal year (FY). It is an analysis of a sample attack path a cyber threat actor could take to compromise an organization with weaknesses that are representative of those observed by CISA.  On September 13, 2024, we published the FY23 RVAs Analysis and Infographic. 

  • The analysis maps the attack path to the MITRE ATT&CK®, which is a framework meant to help build a global community-driven knowledge base, comprised of the known tactics, techniques, and procedures (TTPs) of threat actors. CISA published a Best Practices for MITRE ATT&CK Mapping guide that provides network defenders with clear guidance, examples, and step-by-step instructions to make better use of MITRE ATT&CK as they analyze and report on cybersecurity threats. 
  • The analysis also comes with an infographic that breaks out the most successful techniques for each tactic documented for the fiscal year and includes the success rate percentage for each tactic and technique.  

CISA provides these reports and infographics to the cybersecurity community with technical details and recommended mitigations to help organizations of all sizes strengthen their cybersecurity posture. We encourage network administrators and IT professionals to review these resources and apply the recommended defensive strategies to protect against the observed tactics and techniques.  

Note: The presented data in each analysis report should not be considered a rigorous statistical representation of the complex and varied sector entities that exist within the United States. Organizations should consider additional attack vectors and mitigation strategies based on their unique environment.