On Nov. 10, CISA published its guide on Stakeholder-Specific Vulnerability Categorization (SSVC), a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system.
As stated in CISA’s Executive Assistant Director’s recent blog,Transforming the Vulnerability Management Landscape, implementing a methodology such as SSVC is a critical step to advancing the vulnerability management ecosystem. CISA encourages organizations to use the resources on the SSVC webpage to strengthen their vulnerability management processes.
Stakeholder-Specific Vulnerability Categorization
Carnegie Mellon University's Software Engineering Institute (SEI), in collaboration with CISA, created the Stakeholder-Specific Vulnerability Categorization (SSVC) system in 2019 to provide the cyber community a vulnerability analysis methodology that accounts for a vulnerability's exploitation status, impacts to safety, and prevalence of the affected product in a singular system. CISA worked with SEI in 2020 to develop its own customized SSVC decision tree to examine vulnerabilities relevant to the United States government (USG), as well as state, local, tribal, and territorial (SLTT) governments, and critical infrastructure entities. Implementing SSVC has allowed CISA to better prioritize its vulnerability response and vulnerability messaging to the public.
How CISA Uses SSVC
CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions:
- Track: The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.
- Track*: The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines.
- Attend: The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.
- Act: The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.
The CISA SSVC tree determines the decisions of Track, Track*, Attend, and Act based on five values:
- Exploitation status
- Technical impact
- Mission prevalence
- Public well-being impact
To learn more, see the CISA SSVC Guide (pdf, 948 kb).
CISA's SSVC Calculator
The CISA SSVC Calculator allows users to input decision values and navigate through the CISA SSVC tree model to the final overall decision for a vulnerability affecting their organization. The SSVC Calculator allows users to export the data as .PDF or JSON.
Additional SSVC Decision Tree Models
Organizations whose mission spaces need to evaluate the effect of vulnerabilities in at least one external organization may find the CISA SSVC decision tree model helpful. The CISA SSVC decision tree model closely resembles the standard SSVC “Coordinator” tree. For organizations whose mission spaces do not align with CISA’s decision tree, the SEI whitepaper Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)
details other decision tree models that may better align to their mission space.