Cybersecurity Performance Goals Adoption Report

Most security.txt files were hosted on port 443 (46%), while 18% were on unsecured ports like 80 and another 18% were on pots like 8080 that are not as safe but can be configured manually to support the necessary encryption.

Over 7,400 Common Vulnerabilities and Exposures (CVEs) were detected on cloud systems hosting security.txt files from insecure versions exposed to the internet as of September 2024.

Average remediation time for critical-severity KEVs improved by 50%, reducing from 60 days to 30 days.

SSL vulnerability remediation times improved significantly, dropping from 200 days in August 2022 to under 50 days in 2024.

Top publicly exposed OT/ICS protocols observed in 2024 included Open Platform Communications Unified Architecture (OPC UA) – 43%, Distributed Network Protocol (DNP) – 22%, Niagara-Fox – 21%, Ethernet/IP – 10%, Modbus – 4%.

Organizations enrolled in CISA’s Vulnerability Scanning service saw a steady decline in KEVs on their networks.

Five sectors with the highest occurrences of exposed OT protocols were: Government Facilities – 63%, Information Technology – 10%, Energy – 10%, Healthcare and Public Health – 5%, Financial Services – 4%.

Only 2% of organizations implemented DMARC, SPF, and STARTTLS together for their email security.

The five most commonly exploited services in critical infrastructure sectors were File Transfer Protocol (FTP), Remote Desktop Protocol (RDP), Remote Procedure Call (RPC), Server Message Block (SMB), Internet Relay Chat (IRC).

79% of private sector organizations reduced exploitable services, while SLTT (State, Local, Tribal, and Territorial) entities experienced a 95% increase in exploitable services over the analysis period.

Cisco-related vulnerabilities accounted for 9.8% of all observed KEVs.

Cyber Hygiene (CyHy) service enrollment increased by 201% from August 2022 to August 2024. The highest enrollment increases were observed in the following sectors: communications (300% increase), emergency services (268% increase), critical manufacturing (243% increase), water and wastewater systems (242%).

45% of all vulnerabilities detected were SSL misconfigurations, but this percentage dropped to 33.5% by mid-2024.

1% of organizations had no email security controls.

SSL remediation time decreased from 197 days in August 2022 to just 12 days in August 2024.

Cloud service providers began offering automated security.txt file generation to improve adoption.

The number of exploitable services per organization decreased from 12 in August 2022 to 8 in August 2024.

SMB vulnerabilities declined by 72%, while RPC accounted for 92% of all exploitable service tickets.

International entities experienced a 65% decrease in exploitable service instances.

Only 2% of organizations implemented DMARC, SPF, and STARTTLS together for their email security.

Government Services and Facilities had the highest OT protocol exposure, at 63%.

83% of organizations remediated all identified exploitable services, reducing their cyber risk.

High-severity KEVs saw a 25% reduction in remediation time.

Most security.txt files were hosted on port 443 (46%), while 18% were on unsecured ports like 80 and another 18% were on pots like 8080 that are not as safe but can be configured manually to support the necessary encryption.

Government Services and Facilities had the highest exposure to publicly accessible OT (Operational Technology) protocols, with 63% exposure.

58% of KEVs were linked to open-source software vulnerabilities, particularly PHP and Apache.

The CISA Known Exploited Vulnerabilities (KEV) Catalog recorded 1,199 KEVs as of August 31, 2024.

Outdated SSL and TLS encryption misconfigurations declined, with the average misconfiguration ratio per enrollee dropping from 3.8 to 2.5.

Email security adoption showed strong progress, with 89% of organizations implementing DMARC (Domain-based Message Authentication, Reporting & Conformance).

Email security adoption showed strong progress, with 7% of organizations implementing both DMARC and SPF (Sender Policy Framework).

Federal organizations saw a 60% decline in exploitable service instances.