The truth about KEV: CISA’s vuln deadlines good influence on private-sector patching

More work to do as most deadlines are missed and worst bugs still take months to fix

The deadlines associated with CISA's Known Exploited Vulnerabilities (KEV) catalog only apply to federal agencies, but fresh research shows they're having a positive impact on private organizations too.

KEVs are remediated by organizations on average in under 175 days compared to 621 days for vulnerabilities that aren't in the catalog, a survey [PDF] of 1.4 million orgs by Bitsight shows.

While this is certainly a much longer lead time than federal agencies are afforded – typically just 21 days – it shows the KEV list is having a positive effect in the private sector as well as the highest levels of government.

By CISA's own admission, even its own agencies aren't averse to missing a deadline here and there. It revealed back in December that an unnamed federal civilian executive branch (FCEB) missed a KEV deadline by more than three months and got pwned via a critical Adobe ColdFusion vulnerability.

That said, FCEBs are still much better than organizations at patching on time – they're 56 percent more likely to meet a CISA-imposed deadline than a private sector organization, according to Bitsight. 

In all, deadlines are missed 60 percent of the time, but technology companies were shown to be the fastest radiators of vulnerabilities with an average of 93 days. It makes sense, though, given that they're also the most exposed to KEVs and have a reputation to maintain in the tech community especially.

When CISA adds a bug to its KEV list, it always includes details about whether it has been used by ransomware attackers. That might be an outright confirmation or an "unknown," but the data suggests that the information lights a fire up the backsides of organizations that closely follow the catalog.

KEVs associated with ransomware activity are patched two and a half times faster than KEVs that aren't, which again makes sense given the potential financial cost of an attack.

It also appears to have the most influence on the patch times, more so than CVSS severity ratings. For example, critical KEVs – the most severe, damaging, and exploitable bugs – are fixed on average after nearly four and a half months (137 days).

High-severity vulnerabilities are fixed in 238 days on average, roughly double the time, and medium-severity bugs are largely overlooked – patched on average nearly one and a half years after disclosure.

"CISA's KEV catalog is a critical tool for any organization, and we've seen a positive impact on global vulnerability remediation rates – but most organizations are still too slow to mitigate," said Derek Vadala, chief risk officer at Bitsight. 

"Even critical severity vulnerabilities take four and a half months to remediate on average. The situation creates significant risk and speaks to the need for business leaders on the board and in the C-suite to recognize these vulnerabilities as the serious threats they are and demand a security posture that prioritizes deep insight and swift action. From there, organizations have an opportunity to grow."

Bitsight recommended organizations to impose their own strict deadlines on patching vulnerabilities that vary depending on the severity. They don't necessarily need to be as tight as CISA's in every case, but a suggested range would be seven days for critical bugs and KEVs, sliding up to 180 days for the low-severity issues.

Zero-days require their own emergency plans too. These should include clear protocols on how security teams can work to apply patches as an absolute priority, but also include provisions for when vendor patches aren't available.

All of these should have executive-level support and give security teams the authority to take action to secure the organization from vulnerabilities, especially those actively under attack. ®

More about


Send us news

Other stories you might like