CISA Cybersecurity Performance Goals: Vulnerability Management Security Controls
Controls that identify, prioritize, and remediate security vulnerabilities before they can be exploited.
Vulnerability Management
Vulnerability scanning is performed regularly on all systems
You cannot remediate vulnerabilities you do not know about. Regular scanning gives you a current pic...
CISA Known Exploited Vulnerabilities are remediated on priority timelines
The CISA Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilities that have confirmed, ac...
Critical and high vulnerabilities are remediated within defined SLAs
Vulnerability management without SLAs is just a list of problems nobody is accountable to fix. SLAs ...
Internet-exposed attack surface is identified and minimized
Every service, port, and domain exposed to the internet is a potential entry point for attackers. Or...
Penetration testing or red team exercises are conducted at least annually
Vulnerability scanners find known CVEs but miss logic flaws, misconfigured access controls, weak aut...