The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the formation of a new program aimed at identifying and preventing ransomware attacks. The initiative is known as the Ransomware Vulnerability Warning Pilot (RVWP) program.

Nuts and Bolts of the RVWP Program

The RVWP program will utilize an "awareness and information-sharing model" to help critical infrastructure organizations prevent future ransomware attacks.[1] The program will proactively identify and track recognized cyber vulnerabilities being deployed by ransomware attackers.

The RVWP will then issue an alert to organizations that may be at risk of an attack. This will, in turn, enable the organizations to implement their own mitigation strategies to address the identified vulnerabilities before a damaging intrusion occurs. Interested organizations can also subscribe to CISA's free scanning and testing services and receive weekly vulnerability reports and alerts.[2]

The RVWP program is a collaborative initiative that will be led by both the CISA and Federal Bureau of Investigation (FBI). The program will be coordinated by the Joint Ransomware Task Force (JRTF).

RVWP Program Immediately Identifies Vulnerabilities

Shortly after announcing the launch of the program, CISA allowed the RVWP to flex its metaphorical muscle by notifying 93 organizations they were running instances of Microsoft Exchange Service with a vulnerability known as "ProxyNotShell."[3]

Origins of the RVWP Program

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (we summarize CIRCIA here) required the formation of the RVWP initiative.[4] The RVWP program aligns with the regulatory requirements set forth in the CIRCIA directing critical infrastructure entities to report cyber incidents and ransom payments to CISA.

Key Takeaway

The launch of the RVWP program is another indicator that CISA intends to be active in 2023 and beyond. For example, CISA is developing a set of rules under the CIRCIA that would establish cyber incident and ransom payment reporting obligations (we blogged about this here). CISA and the FBI continue to publish regular updates and advisories on ransomware threats on CISA's Stop Ransomware site. In October 2022, CISA released its voluntary cross-sector cybersecurity performance goals (CPGs) in an effort to establish a uniform set of cybersecurity practices for the critical infrastructure sector. The CPGs developed by CISA could very well play an important role in the establishment of mandatory cybersecurity standards for critical infrastructure operators, as described in the Biden Administration's National Cybersecurity Strategy (we published an in-depth summary of the new National Cybersecurity Strategy and discussed CISA's CPG efforts).

DWT's Privacy & Security team will continue to monitor CISA's rulemaking activity and other initiatives related to cybersecurity and reporting requirements for critical infrastructure operators.


[1] Overview of the Ransomware Vulnerability Warning Pilot (RVWP) program on CISA.gov. See https://www.cisa.gov/stopransomware/Ransomware-Vulnerability-Warning-Pilot.

[2https://www.cisa.gov/topics/cyber-threats-and-advisories/cyber-hygiene-services

[3] The RVWP alert issued to 93 organizations was prominently featured in CISA’s press release announcing the RVWP program. See https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program.

[4] Section 105 [6 U.S.C. § 652 note] states CISA “shall establish a ransomware vulnerability warning pilot program to leverage existing authorities and technology to specifically develop processes and procedures for, and to dedicate resources to, identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerability.” See https://www.law.cornell.edu/uscode/text/6/652.