On March 13th, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) put out a press release on their establishing the Ransomware Vulnerability Warning Pilot program (RVWP) which was authorized by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. The aim of this pilot program is to proactively inform participating organizations that CISA has identified a potentially vulnerable system in their environment, and to give them the steps needed to rectify the problem.
CISA’s Ransomware Vulnerability Warning Pilot program
This release comes shortly after the White House released their National Cybersecurity Strategy document and seems to reinforce the message that the US Federal Government is serious about stepping up their cybersecurity game. Given how the geopolitical situation has changed over the last few years and the long-blurred lines between State and Cybercriminal threats, this increased focus couldn’t come at a better time. Though, to be fair, it could be said that it really is about time. Hopefully, it won’t turn out to be a situation of “too little, too late.”
Many US government organizations are already required to comply with CISA guidance regarding patches, configurations, and deploying compensating controls in the face of known vulnerabilities. Beyond government, quite a few civilian organizations follow CISA’s guidelines as a “best practice” thing as well. This pilot program takes it a step further though.
A step towards proactive cybersecurity
By proactively alerting participants that there are known vulnerable systems in their environment, they are hoping to get them out ahead of potential attacks. The pilot was first rolled out on January 30th, 2023, and is focused on critical infrastructure. In their own words “CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors.”
For the critical infrastructure CISA’s protecting here, the tools are already in place for them to identify what systems live in the environment making it relatively easy for them to correlate what’s there with reported vulnerabilities. That lets them reach out with alerts and guidance quickly and effectively. And, hopefully, this pilot program will have the desired effect and get these critical systems remediated, or at least mitigated, before they come under attack.
Organizations outside the program will have to rely on other tools to get ahead of emerging threats. Fortunately, existing asset management tools can give them a picture of what systems live in their environment and can often include enough information to identify when vulnerabilities exist. In many cases, they will have vulnerability scanners that can identify specific issues that may not be detailed in the asset management tools.
But coordinating that information and, often more challenging, prioritizing it, can be difficult. This is actually something the RVWP program will help critical infrastructure with: prioritization though the program is initially focused specifically on ransomware threats rather than the other malware families that are in play. For civilian organizations, a risk management tool like Vulcan Cyber can help.
Our take
Similar to what CISA is doing with this program, a risk management platform will take the knowledge it has on a protected environment and correlate it to deliver prioritized recommendations on which vulnerable systems need to be addressed first.
We can hope this pilot succeeds, and possibly extends to cover other families of malware and other organizations that could use the help. For those that won’t be able to take advantage of this program once it rolls out past the pilot stage, there are vulnerability management tools available, like ours, that can achieve the same end.