Updated on 2022-11-14: CISA Publishes Stakeholder-Specific Vulnerability Categorization Guide
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a Stakeholder-Specific Vulnerability Categorization Guide to help government agencies and other organizations prioritize vulnerability management. The guide includes information about how CISA scores vulnerabilities, and describes its decision tree model.
Note
- The SVCC guide derives from Carnegie Mellon University’s Software Engineering Institute’s SVCC system created in 2019 with the CISA. CISA then tweaked it for government agencies and related organizations. Take a look at this guide (it’s only 10 pages) and compare to how you’re deciding to prioritize response to vulnerabilities. There may be factors you’re not considering. If you are bound by the CISA KEV, using a similar categorization should help you remain aligned with regulatory requirements.
Read more in
- CISA Stakeholder-Specific Vulnerability Categorization Guide (PDF)
- Stakeholder-Specific Vulnerability Categorization
Updated on 2022-11-13
The CISA announced the launch of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that would assist organizations to prioritize vulnerability patching using a decision-tree model. Read more: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching
Updated on 2022-11-11
CISA guide: The US Cybersecurity and Infrastructure Security Agency published this week a guide on Stakeholder-Specific Vulnerability Categorization (SSVC), a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts on safety, and prevalence of the affected product in a singular system. Read more: STAKEHOLDER-SPECIFIC VULNERABILITY CATEGORIZATION
Overview: CISA Provides Resources to Help Agencies Manage Known Exploited Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has released resources to help federal agencies comply with a binding operational directive (BOD) that requires them to reduce the significant risk of known exploited vulnerabilities. In a blog post, CISA Executive Assistant Director for Cybersecurity Eric Goldstein introduces the tools through a three step process for improving vulnerability management: introducing greater automation; the use of Vulnerability Exploitability Exchange to determine if a products is affected by a known vulnerability; and prioritizing vulnerability management resources through Stakeholder Specific Vulnerability Categorization.
Note
- A tool like the SSVC can help prioritize remediation efforts, but before you run out and grab something new, check your inventory for products which may already have this (or similar) capability and look at leveraging that first. We all have “shelfware” or narrowly implemented products, and as tempting as best-of-breed is, it’s still generally easier to use all the features in existing products than trying to integrate several disparate products which are “supposed” to be able to talk to each other.
- In this case, I have to treat CISA like I would any vendor. The Security Content Automation Protocol (SCAP) standards first came out of the US government in 2009 – announcing more such standards really does not equate to CISA “transforming the vulnerability management landscape.” They need to focus on helping government agencies overcome the obstacles they faced trying to make automation work, which had more to do with overhyping what would and would not make sense to automate than it did with needing new ways to find out and rank vulnerability severity. I’d like to see a focus on a simple use case: reduce average time to patch servers from months to days to hours. Then start thinking about automation overall.
Read more in