Federal network vulnerabilities curbed by CISA KEV catalog

U.S. federal agencies have experienced a significant reduction in known exploited security flaws across the networks since the release of the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog more than two years ago, according to The Record, a news site by cybersecurity firm Recorded Future. While flaws included in the KEV catalog have increased between 2022 and 2023, internet-accessible KEVs have enabled a 79% reduction in federal agencies' attack surface during the same period, while enabling remediation times that were 36 days earlier than non-KEVs, said CISA Executive Assistant Director for Cybersecurity Eric Goldstein during a House of Representatives hearing. "Recognizing that every agency must prioritize their finite cybersecurity resources, we maintain the KEV catalog as the authoritative source of vulnerabilities that have been exploited in the wild, sending a clear message to all organizations to prioritize remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity," Goldstein added.