Do you actively monitor the CISA KEV (Known Exploited Vulnerabilities) catalogue for relevance to your estate?
Demonstrate that the organization has implemented a repeatable process to review CISA KEV updates, identify applicable vulnerabilities within the technology inventory, and escalate findings through the vulnerability management workflow.
Description
What this control does
This control ensures the organization maintains a systematic process to monitor the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue and correlate entries against the technology estate to identify applicable threats. The KEV catalogue contains vulnerabilities actively exploited in the wild that CISA mandates federal agencies remediate, representing clear and present dangers. Organizations that monitor KEV can prioritize patching efforts based on real-world attacker activity rather than theoretical CVSS scores alone, reducing exposure to threats with confirmed exploitation paths.
Control objective
What auditing this proves
Demonstrate that the organization has implemented a repeatable process to review CISA KEV updates, identify applicable vulnerabilities within the technology inventory, and escalate findings through the vulnerability management workflow.
Associated risks
Risks this control addresses
- Attackers exploit known vulnerabilities present in the KEV catalogue for which patches exist but remain unapplied due to lack of awareness
- Critical zero-day or actively exploited vulnerabilities go undetected because vulnerability scanning alone does not prioritize KEV-listed threats
- Incident response teams lack situational awareness of which production systems contain vulnerabilities currently under active exploitation campaigns
- Regulatory or contractual obligations requiring KEV monitoring (e.g., FedRAMP, critical infrastructure mandates) result in non-compliance findings
- Patch prioritization decisions rely solely on vendor severity ratings rather than confirmed real-world exploitation intelligence
- Security operations miss early warning indicators that adversaries are targeting specific vulnerability classes present in the environment
- Delays in correlating KEV entries against asset inventories allow exploitation windows to remain open for weeks or months after CISA publication
Testing procedure
How an auditor verifies this control
- Obtain the written vulnerability management policy or procedure document and verify it explicitly references monitoring the CISA KEV catalogue as a threat intelligence input
- Request evidence of KEV monitoring frequency (automated feeds, manual reviews, or scheduled tasks) and confirm monitoring occurs at least weekly or upon CISA updates
- Review the most recent three months of KEV review records, logs, or tickets demonstrating the organization checked for new entries and documented findings
- Select a sample of five KEV entries added within the past 90 days and trace each through the correlation process to determine if the organization assessed applicability to its asset inventory
- For KEV entries identified as applicable to the estate, examine remediation tracking records (vulnerability scan results, patch deployment logs, or exception approvals) to verify timely response
- Interview vulnerability management or security operations personnel to confirm understanding of KEV sources, correlation methodology, and escalation paths for positive matches
- Verify integration points between KEV monitoring and existing vulnerability management tools (scanners, CMDB, ticketing systems) to confirm automated or semi-automated correlation where feasible
- Review evidence that KEV findings escalate with higher priority than non-KEV vulnerabilities in the remediation queue and track mean-time-to-remediation for KEV versus standard vulnerabilities