Risk and Vulnerability Assessments

Revision Date

CISA analyzes and maps, to the MITRE ATT&CK® framework, the findings from the Risk and Vulnerability Assessments (RVA) we conduct each fiscal year (FY). These analyses include:

  • Reports by fiscal year (starting with FY20) that provide an analysis of a sample attack path a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in the fiscal year's RVAs. The analysis maps the attack path to the ATT&CK framework.
  • Infographics of RVAs mapped to the ATT&CK framework for each fiscal year, starting with FY19. The infographic breaks out the most successful techniques for each tactic documented for the fiscal year and includes the success rate percentage for each tactic and technique. 

CISA encourages network administrators and IT professionals to review the analyses and infographics and apply the recommended defensive strategies to protect against the observed tactics and techniques.

Note: due to the limited sample size, the presented data should not be considered a rigorous statistical representation of the complex and varied sector entities that exist within the United States. Organizations should consider additional attack vectors and mitigation strategies based on their unique environment. 


To schedule a Risk and Vulnerability Assessment, contact