In a new report released, the Cybersecurity and Infrastructure Security Agency (CISA) highlighted a striking 201% increase in Cyber Hygiene (CyHy) service enrollment from critical infrastructure organizations over a two-year span. Between August 2022 and August 2024, the number of entities leveraging this vulnerability scanning service rose from 3,874 to 7,791, underscoring the growing urgency to fortify the nation’s most vital systems against a backdrop of escalating cyber threats.
The Leaders of the Pack
The report identifies the sectors leading this enrollment surge: Communications (300%), Emergency Services (268%), Critical Manufacturing (243%), and Water and Wastewater Systems (242%). These industries are rallying to close gaps in their cybersecurity frameworks, a testament to the success of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
“CISA’s free scanning service provides a critical layer of defense,” says Lawrence Pingree, Vice President at Dispersive.io. “It’s no surprise enterprises are leveraging this, but organizations must remember it’s only one piece of the puzzle. Preemptive cyber defense and adaptive strategies are the future. Attackers evolve; so must we.”
Tangible Results in a Shifting Landscape
The CyHy program has yielded notable progress. The number of exploitable services monitored per participant fell from 12 to eight during the analysis period, while critical vulnerabilities—like those related to Secure Sockets Layer (SSL)—are now being patched in under 50 days, down from 200 days just two years ago.
This improvement coincides with a sharp drop in critical-severity vulnerabilities, which saw a 50% decline, and high-severity vulnerabilities, which fell by 25%. Yet, the report warns against complacency. Operational technology (OT) protocols remain heavily exposed, particularly within government services, where public internet connections account for 63% of OT protocol exposure.
The Persistent Threat of Exploitable Services
Efforts to minimize exploitable services on the internet show a mixed picture. While private entities demonstrated a 79% reduction, state and local organizations experienced a 95% spike over the same period. Despite these challenges, progress is evident. CISA estimates 83% of initially flagged exploitable services across CyHy participants have been successfully remediated.
However, the remaining attack surface remains a significant concern. Protocols like Remote Procedure Call (RPC) dominate the exploitable service landscape, accounting for a staggering 92% of all tickets. Misconfigured SMB and FTP services round out the list of common vulnerabilities.
The Bigger Picture
CISA’s report makes it clear: progress is possible when organizations commit to proactive measures. While the CyHy program represents a vital step forward, cybersecurity experts like Pingree caution against over-reliance on any single solution. “Attackers pivot—whether through malware, phishing, or third-party vulnerabilities. A preemptive approach, such as automated moving target defense, is crucial to staying ahead.”
As cyber threats continue to evolve, the question isn’t whether organizations will invest in their digital defenses but how rapidly they can adapt to outpace their adversaries.