CISA Known Exploit Vulnerability (KEV) Integration

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CISA Known Exploit Vulnerability (KEV) Integration

    The CISA Known Exploit Vulnerability (KEV) Integration for ServiceNow Vulnerability Response helps customers prioritize and remediate actively exploited vulnerabilities by ingesting data from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). This integration enriches your existing vulnerability data with authoritative information about known exploited vulnerabilities, enabling more effective vulnerability management and faster response to critical threats.

    Show full answer Show less

    Key Features

    • Automated Data Ingestion: The integration automatically imports CISA’s KEV catalog data daily via a scheduled job, ensuring your vulnerability data stays current with the latest known exploited vulnerabilities.
    • Enriched Vulnerability Data: Retrieved data includes CVE ID, due date, date added, vendor/project, product, and a flag identifying vulnerabilities known to be used in ransomware campaigns. This information is incorporated into the Third-Party Vulnerability Entries table and rolled up to vulnerable items for streamlined tracking.
    • Flag for Ransomware Campaigns: Starting with Vulnerability Response version 21.0, vulnerabilities flagged as “Known To Be Used in Ransomware Campaigns” are clearly identified to prioritize remediation efforts against high-risk threats.
    • Run-As User Configuration: The integration runs under a default system user (VR.System), which should not be changed to maintain secure and stable operations.
    • Integration Visibility: Customers can view and manage the integration via the ServiceNow interface under Vulnerability Response > Administration > Integrations > CISA Known Exploit Vulnerability Integration.

    Benefits for ServiceNow Customers

    • Prioritized Vulnerability Remediation: By leveraging CISA’s curated list of actively exploited vulnerabilities, customers can focus remediation efforts on the most urgent and impactful risks.
    • Data Synchronization: The scheduled job feature ensures your vulnerability data is consistently updated without manual intervention, reducing administrative overhead.
    • Improved Risk Awareness: Identification of vulnerabilities linked to ransomware campaigns enables security teams to respond promptly to critical threats affecting government and corporate environments.
    • Seamless Integration: The solution integrates natively with Vulnerability Response, enhancing your existing workflows and vulnerability records without requiring additional configuration.

    Practical Use

    ServiceNow customers using Vulnerability Response can activate and monitor the CISA KEV integration to automatically receive the latest threat intelligence from CISA. The integration supports compliance and security goals by highlighting vulnerabilities with known exploits and ransomware association, helping customers meet urgent remediation deadlines and reduce risk exposure effectively.

    The Vulnerability Response integration with the CISA Known Exploited Vulnerabilities (KEVs) catalog ingests data to help you effectively prioritize and remediate these vulnerabilities.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    CISA enables urgent and prioritized remediation of actively exploited vulnerabilities for government agencies and corporations.

    About CISA

    Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. Cybersecurity & Infrastructure Security Agency that publishes a report on the most exploited vulnerabilities. It easily integrates with Vulnerability Response to map Common Vulnerabilities and Exposures (CVE) vulnerabilities enriching the data in your instance. This information is then rolled up to the Third-Party Vulnerability Entries table. The earliest due date is considered for the roll-up to the vulnerable items.
    Note:
    The CISA Exists check box for CVEs retrieved by CISA.
    Values retrieved from the CISA integration:
    • CVE ID
    • Due date
    • Date added
    • Vendor/Project
    • Product
    • Known ransomware (starting from v21.0 of Vulnerability Response, a new field Known To Be Used in Ransomware Campaigns is ingested from the CISA Known Exploited Vulnerabilities (KEVs) catalog. It’s indicated by the flagging of the Known ransomware field on the National Vulnerability Entry database table. The flag is set at the Common Vulnerabilities and Exposures (CVE) level and rolled up to the third-party entry (TPE).

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Scheduled jobs

    The CISA Integration is invoked automatically as a daily scheduled job. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes

    Vulnerability Response v16.5, v18.0

    Vulnerability Response Integration with CISA v1.0, v1.2

    Viewing the CISA integration

    To view the CISA integration, navigate to Vulnerability Response > Administration > Integrations > CISA Known Exploit Vulnerability Integration.

    The following integrations are included in the base system.
    Note:
    Only the CISA Integration is active, by default.
    Table 1. CISA integration
    Integration Description
    Cybersecurity & Infrastructure Security Agency (CISA) Integration Retrieves CISA vulnerability data (CVE) and enriches the existing vulnerability data. This integration is set automatically to run daily.

    To view data in third-party vulnerabilities, see View Vulnerability Response vulnerability libraries.