The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors.
On Monday, March 13, CISA announced the creation of the Ransomware Vulnerability Warning Pilot (RVWP). CISA was required to establish the RVWP as part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which President Biden signed into law in March 2022.
Here are some of the FAQs from the CISA news page explaining the RVWP:
What is CIRCIA?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is federal legislation that puts in place requirements for critical infrastructure entities to report cyber incidents and ransom payments to CISA.
Why is CISA sending me a notification?
CISA routinely identifies security risks facing U.S. organizations, including information from government or industry partners. CISA additionally leverages commercial tools to identify organizations that may be at heightened cybersecurity risk. As required by CIRCIA, CISA proactively identifies information systems that contain security vulnerabilities commonly associated with ransomware attacks. After discovery, CISA notifies owners of the vulnerable systems.
Who will notify me if I have a vulnerability?
CISA Regional staff members, located throughout the country, make notifications and may provide assistance and resources to mitigate the vulnerability.
What can I expect in the notification?
Notifications will contain key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated.
How should I expect to receive a notification?
CISA regional staff members will make notifications by phone call or email.
How do I verify it is CISA notifying me?
If you receive a notification, you can verify the identity of the CISA personnel through CISA Central: central@cisa.gov or or 888-282-0870.
If I received a notification, does that mean I was compromised?
Receiving a notification through CISA RVWP is not indicative of a compromise. However, it does indicate you are at risk and the information system requires immediate remediation.
Am I required to comply with CISA's recommended actions?
No. Receiving a notification does not require you to comply with or deploy any of CISA’s recommendations.
How did CISA determine I was vulnerable?
CISA leverages multiple open-source and internal tools to research and detect vulnerabilities within U.S. critical infrastructure.
Can I receive other CISA services?
Absolutely! CISA offers multiple no-cost resources and tools. As a starting point, organizations should sign up for CISA's Cyber Hygiene Vulnerability Scanning, undertake a self-assessment to determine progress in implementing the Cybersecurity Performance Goals, and build a relationship with a regional CISA cybersecurity advisor to participate in additional applicable services or capabilities.
Here's a handy PDF version of the RVWP announcement.
To reiterate, CISA's goal of the Ransomware Vulnerability Warning Pilot is to:
- Proactively identifies information systems—belonging to critical infrastructure entities—that contain vulnerabilities commonly associated with ransomware intrusions.
- Notifies the owners of the affected information systems, which enables the owners to mitigate the vulnerabilities before damaging intrusions occur.
