CISA 101 for Enterprises – Why CISA Matters

What is CISA?

CISA stands for the Cybersecurity and Infrastructure Security Agency (CISA) and it leads the United States national effort to understand, manage, and reduce risk to American cyber and physical infrastructure. Its vision is to achieve a secure and resilient critical infrastructure for the American people.

Is CISA just a concern for Government Agencies?

No, CISA plays two key roles:

1. Quarterback for the Federal Cybersecurity Team – CISA protects and defends the American home front – the federal civilian government networks.
2. National Coordinator for Critical Infrastructure and Resilience – CISA also looks at the entire threat picture and works with partners across both government and industry. As threats continue to evolve, no single organization or entity has all the answers for how to address cyber threats. By bringing together insight and capabilities within public AND private sectors, a collective defense is built against the threats the nation faces. Enterprises can benefit from this collective insight.

How Exactly Does the Enterprise Benefit from the Collective Insight that CISA has built?

The answer is to be found in the CISA list. CISA has built a list called the Known Exploited Vulnerabilities Catalog. It is based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to federal agencies and private enterprises.

Are Enterprises legally required to remediate identified vulnerabilities on the CISA list?

Binding Operational Directive (BOD) 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.

Can and Should the Enterprise Share Cyber Event Information?

Yes and Yes. Cybersecurity information sharing is essential to collective defense and strengthening cybersecurity for the Nation. When cyber incidents are reported quickly, CISA can use this information to render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack. This information is also critical to identifying trends that can help efforts to protect the homeland. Stakeholders can learn how to share cyber event information here – Sharing Cyber Event Information Fact Sheet.

Is the CISA List Kept up to date?

This catalog is actively kept up to date – here is an example of a recent update from the CISA website:

How can I keep up to date on the list?

Enterprises can subscribe to the update bulletin here – Subscribe to the Known Exploited Vulnerabilities Catalog Update Bulletin.

Is there an efficient way for my Enterprise Vulnerability Management (VM) Program to quickly identify if any of our detected vulnerabilities match the current CISA list?

Edgescan currently offers a new threat Intelligence & risk-based prioritization feature. It enables a new view for Enterprises to cross-reference their vulnerabilities with the CISA exploit list.

To learn more how to refine your remediation efforts with the CISA exploit list, go to