The U.S. Department of Homeland Security Cybersecurity and Information Security Agency (CISA) released its Analysis of FY20 Risk and Vulnerability Assessments along with an infographic mapping from 37 of its Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year 2020 to the MITRE ATT&CK® Framework. The report identifies routinely successful attack paths CISA observed during RVAs conducted across multiple sectors. CISA encourages network administrators and IT professionals to review and apply the recommended defensive strategies to protect against the observed tactics and techniques. Access the FY20 RVA report and infographic at CISA.

During an RVA, CISA collects data through onsite assessments and combines it with national threat and vulnerability information in order to provide an organization with actionable remediation recommendations prioritized by risk. This assessment is designed to identify vulnerabilities that adversaries could potentially exploit to compromise network security controls. After completing the RVA, the organization will receive a final report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details. An RVA is just one of the many services offered by CISA to its critical infrastructure partners. WaterISAC encourages members to consider these services to identify potential system vulnerabilities and generally improve the cybersecurity postures of their organizations. Read more about these services at CISA’s Cyber Resource Hub.