What are CISA's Cyber Hygiene Services?

This free subscription allows Licensees to carry out a self-assessment of their IT assets and receive mitigation recommendations from CISA. The recurring scans include:

1. Vulnerability Scanning: This service continuously monitors and assesses internet-accessible network assets (public, static IPv4 addresses) to evaluate their host and vulnerability status. In addition to weekly reports of all findings, you’ll receive ad-hoc alerts about urgent findings, like potentially risky services and known exploited vulnerabilities.
2. Web Application Scanning: This service deep-dives into publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers could exploit. This comprehensive evaluation includes, but is not limited to, the vulnerabilities listed in the OWASP Top Ten, which represent the most critical web application security risks. This service provides detailed reports monthly, as well as on-demand reports to help keep your web applications secure.

‍

What are the objectives of CISA's Cyber Hygiene Services ?

• Significantly Reduce Risk. Organizations typically reduce their risk and exposure by 40% within the first 12 months. Most see improvements in the first 90 days.

• Avoid Surprises. Because the services look for assets exposed to the internet, they identify vulnerabilities that could otherwise go unmanaged.
• Sharpen Your Response. By combining the vulnerability insights gained with existing threat detection and risk management efforts, enrolled organizations can increase the accuracy and effectiveness of response activities. This means fewer false alarms and less chance of real dangers slipping through the net.
• Broaden Your Security Horizon. CISA’s scanning is about more than pinpointing vulnerabilities; it’s about expanding your organization’s security boundaries. From basic asset awareness to daily alerts on urgent findings, you’ll be in a better place to make risk-informed decisions.

‍

Who performs these scans and who can receive the information?

Cyber Hygiene services are provided by CISA’s highly trained information security experts equipped with top-of-the-line tools. CISA's mission is to measurably reduce cybersecurity risks to the nation by providing services to government and critical infrastructure stakeholders.

U.S.-based federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations are welcome to enroll, free of charge. The report is sent only to the contact registered for your organization, once the Service Request Form (SRF) and the legal documentation required by CISA has been submitted.

‍

Will CISA send the vulnerability scans directly to the Office of the Insurance Commissioner (OCS)?

No. This service is available for Licensees who choose CISA as a provider of vulnerability assessments and mitigation recommendations, free of charge.

Each Licensee shall report to the OCS the results of its vulnerability scans twice a year, regardless of the service provider they choose. Licensees who are enrolled in CISA's Cyber Hygiene Services can easily find the information required to prepare their reports on page 6, titled Cyber Hygiene Report Card.

‍

‍

How often are scans performed?

Once you have been enrolled in the Cyber Hygiene Services, CISA will send you your first scan by email the Monday after the first analysis.

The analysis is carried out continuously between each weekly report. Any device that is detected with at least one open port or service is considered a host. The prioritization schedule of the Cyber Hygiene Services is as follows:

· Addresses without active services detected (dark space) are re-analyzed after at least 90 days.
· Hosts without detected vulnerabilities are re-analyzed every 7 days.
· Hosts with low-risk vulnerabilities are re-analysed every 6 days.
· Hosts with medium-risk vulnerabilities are re-analyzed every 4 days.
· Hosts with high-risk vulnerabilities are re-analyzed every 24 hours.
· Hosts with critical risk vulnerabilities are re-analyzed every 12 hours.

It is important to consider that a single host can have multiple vulnerabilities of different severity, which affects the frequency with which a host is scanned.

‍