CISA Known Exploit Vulnerability (KEV) Integration

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CISA Known Exploit Vulnerability (KEV) Integration

    The CISA Known Exploit Vulnerability (KEV) Integration enhances Vulnerability Response in ServiceNow by ingesting data from the CISA catalog. This integration helps prioritize and remediate vulnerabilities that are actively exploited, ensuring that government agencies and corporations can respond urgently to security threats.

    Show full answer Show less

    Key Features

    • Data Ingestion: Integrates CISA's Common Vulnerabilities and Exposures (CVE) to enrich vulnerability data in your instance, aiding in vulnerability management.
    • Known Ransomware Tracking: Introduces a field for vulnerabilities known to be used in ransomware campaigns, providing critical information for threat assessment.
    • Automatic Scheduling: Runs as a daily scheduled job to keep your instance synchronized with external vulnerability management systems, simplifying the remediation lifecycle.
    • Viewing Integration: Accessible through the Vulnerability Response Administration section for easy management and oversight.

    Key Outcomes

    By utilizing the CISA KEV Integration, ServiceNow customers can effectively identify and prioritize vulnerabilities, enhancing their cybersecurity posture. This integration supports informed decision-making for vulnerability remediation and ensures that organizations stay updated on critical security threats.

    The Vulnerability Response integration with the CISA Known Exploited Vulnerabilities (KEVs) catalog ingests data to help you effectively prioritize and remediate these vulnerabilities.

    Request apps on the Store

    Visit the ServiceNow Store to view all the available apps, and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    CISA enables urgent and prioritized remediation of actively exploited vulnerabilities for government agencies and corporations.

    About CISA

    Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. Cybersecurity & Infrastructure Security Agency that publishes a report on the most exploited vulnerabilities. It easily integrates with Vulnerability Response to map Common Vulnerabilities and Exposures (CVE) vulnerabilities enriching the data in your instance. This information is then rolled up to the Third-Party Vulnerability Entries table. The earliest due date is considered for the roll-up to the vulnerable items.
    Note:
    The CISA Exists check box for CVEs retrieved by CISA.
    Values retrieved from the CISA integration:
    • CVE ID
    • Due date
    • Date added
    • Vendor/Project
    • Product
    • Known ransomware (starting from v21.0 of Vulnerability Response, a new field Known To Be Used in Ransomware Campaigns is ingested from the CISA Known Exploited Vulnerabilities (KEVs) catalog. It’s indicated by the flagging of the Known ransomware field on the National Vulnerability Entry database table. The flag is set at the Common Vulnerabilities and Exposures (CVE) level and rolled up to the third-party entry (TPE).

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Scheduled jobs

    The CISA Integration is invoked automatically as a daily scheduled job. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes

    Vulnerability Response v16.5, v18.0

    Vulnerability Response Integration with CISA v1.0, v1.2

    Viewing the CISA integration

    To view the CISA integration, navigate to Vulnerability Response > Administration > Integrations > CISA Known Exploit Vulnerability Integration.

    The following integrations are included in the base system.
    Note:
    Only the CISA Integration is active, by default.
    Table 1. CISA integration
    Integration Description
    Cybersecurity & Infrastructure Security Agency (CISA) Integration Retrieves CISA vulnerability data (CVE) and enriches the existing vulnerability data. This integration is set automatically to run daily.

    To view data in third-party vulnerabilities, see View Vulnerability Response vulnerability libraries.