CISA Launches RVWP, a New Ransomware Warning Pilot Program Designed for Critical Infrastructure Entities

The News: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently unveiled the Ransomware Vulnerability Warning Pilot (RVWP) program designed to help critical infrastructure entities protect their information systems from ransomware attacks. The RVWP program intends to alert agencies of attack surface vulnerabilities that could be used by ransomware threat actors so security teams are able to mitigate bugs as soon as possible. See more from CISA here.

CISA Launches RVWP, a New Ransomware Warning Pilot Program Designed for Critical Infrastructure Entities

Analyst Take: The move by CISA to launch RVWP, a new ransomware warning pilot program for critical infrastructure entities is news many organizations should be excited about.

According to Comparitech, ransomware attacks on U.S. government organizations cost over $70 billion from 2018 to October 2022. Between 2018 and October 2022, 330 individual ransomware attacks were carried out against U.S. government organizations, potentially impacting more than 230 million people and costing an estimated $70 billion in downtime alone. Threatpost research found unpatched vulnerabilities spurred 82% of cyberattacks during the first half of 2022 and sadly, these attacks were largely preventable. These targeted exploits, however, are attractive to cybercriminals and remain a prevalent target for critical infrastructure.

This is why the announcement by the CISA of the launch of the RVWP program is great news in the fight against ransomware attacks. CISA’s RVWP program is designed to help critical infrastructure entities protect their information systems from ransomware attacks. This is key, as many organizations are not even aware that a vulnerability used by ransomware threat actors is present on their network, which is where the value prop of the RVWP lies. CISA’s RVWP program intends to alert agencies of attack surface vulnerabilities that could potentially be used by ransomware criminals, so security teams are able to mitigate bugs as soon as possible.

CISA’s RVWP program should provide much-needed assist to organizations like hospitals, school districts, utilities, and government entities, to name just a few, who are often somewhat challenged by the availability of adequate resources and/or skilled tech talent to help with risk mitigation, and even mitigation as fundamental as identifying unpatched systems and endpoint vulnerabilities.

The healthcare industry is particularly vulnerable with a heavy reliance on medical devices that are built on legacy systems or operating on products in end-of-life stages leading to complex device security patch management challenges. School districts and government entities at the local level are likewise challenged by legacy operating systems and a lack of IT knowledge to help navigate what are increasingly complex times as instances of ransomware rapidly increase. The good news — for the healthcare sector anyway — is that the FDA, which establishes medical device security requirements for manufacturers, now requires manufacturers to make sure new devices are designed with security in mind, also known as security by design principles.

CISA’s RVWP program was created in response to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, a 2022 law that required CISA to “develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments” to the agency.

How Will it Work?

Through CISA’s RVWP program, the organization will leverage its existing services, data sources, technologies, and authorities to proactively identify systems that contain security vulnerabilities most commonly associated with ransomware attacks.

This includes CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002. Once CISA identifies affected systems, CISA regional cybersecurity personnel will notify system owners of their security vulnerabilities enabling timely mitigation before damaging intrusions occur. Regional personnel may also provide both assistance and resources to mitigate the vulnerability,

According to CISA, notifications will provide critical information about systems identified as vulnerable, including the device model and manufacturer, IP address being used, how the vulnerability was detected, along with advice and guidance on mitigating the vulnerability. This is exciting news and a move I believe should provide a significant assist to organizations battling vulnerabilities as a whole and working to mitigate risk.

Sounds great, but will it work? As to be expected, CISA has been very involved in testing the RVWP program, kicking it off by notifying 93 organizations identified as running instances of Microsoft Exchange Service with a vulnerability called “ProxyNotShell,” which has been widely exploited by ransomware actors. This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as CISA further scales the RVWP program to additional vulnerabilities and organizations.

Want to learn more about this pilot program and perhaps get your company involved in CISA’s RVWP program? Interested organizations can email to explore getting involved.

Wrapping up, ransomware cost an estimated $70 billion in downtime alone in 330 individual ransomware attacks carried out against U.S. government organizations between 2018 and October 2022, potentially impacting more than 230 million people. The launch of CISA’s RVWP program, designed to proactively warn critical infrastructure entities of unpatched vulnerabilities leaving them at risk of a ransomware attack is a big step forward by the federal government, providing not only a significant assist, but also some much-needed good news in the fight against ransomware.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.

Other insights from The Futurum Group:

Tanium Converge 2022 Recap: Converged Endpoint Management, the Convergence of ITOps and Security, and Highlighting Key Partnerships

Splunk is Championing Careers in IT and Cybersecurity

Decentralized Storage in the Battle Against Ransomware

Author Information

Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”


Latest Insights:

The Six Five team discusses Marvell Accelerated Infrastructure for the AI Era event.
The Six Five team discusses Google Cloud Next 2024 event.