Each year, the Cybersecurity and Infrastructure Security Agency (CISA) conducts Risk and Vulnerability Assessments (RVAs) of Federal Civilian Executive Branch (FCEB), Critical Infrastructure (CI), and State, Local, Tribal, and Territorial (SLTT) stakeholders. An RVA assesses an organization's overall effectiveness in identifying and addressing network vulnerabilities. In Fiscal Year 2020 (FY20), CISA conducted 37 RVA assessments of multiple stakeholders across the various sectors and aligned the results to the MITRE ATT&CK® framework. The goal of the RVA analysis is to develop effective strategies that positively impact the security posture of FCEB, SLTT, and CI stakeholders.

During an RVA, CISA collects data through onsite assessments and combines it with national threat and vulnerability information to provide an organization with actionable remediation recommendations prioritized by risk. CISA designed RVAs to identify vulnerabilities that adversaries could exploit to compromise network security controls. An RVA may incorporate the following methodologies:

• Scenario-based network penetration testing
• Web application testing
• Social engineering testing
• Wireless testing
• Configuration reviews of servers and databases
• Detection and response capability evaluation

After completing the RVA, CISA provides the organization a final report that includes business executive recommendations, specific findings, potential mitigations, and technical attack path details.

CISA’s RVA teams leverage the MITRE ATT&CK framework, which is a “globally accessible knowledge base of adversary tactics and techniques based on real-world observations.”1 The framework aims to build a community-driven knowledge base—comprising known tactics, techniques, and procedures (TTPs) of threat actors—to help develop threat models and facilitate vulnerability mitigation efforts. The framework includes 14 distinct attack paths that cyber adversaries use to obtain and maintain unauthorized access to a network/system.