CISA Releases SSVC Guide to Help Companies Prioritize Vulnerabilities

Written by

The Cybersecurity and Infrastructure Security Agency (CISA) has published a new guide on Stakeholder-Specific Vulnerability Categorization (SSVC).

This vulnerability management methodology is designed to assess vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts on safety and prevalence of the affected product in a singular system.

SSVC was first created by CISA in collaboration with Carnegie Mellon University's Software Engineering Institute (SEI) in 2019.

In 2020, CISA then worked with SEI to develop its customized SSVC decision tree to examine vulnerabilities relevant to the United States government (USG), as well as state, local, tribal and territorial (SLTT) governments and critical infrastructure entities.

According to the latest iteration of SSVC, its new implementation has allowed CISA to better prioritize its vulnerability response and vulnerability messaging to the public.

Writing about the new guide, CISA's executive assistant director Eric Goldstein said that organizations of all sizes are challenged to manage the number and complexity of new vulnerabilities.

"Organizations with mature vulnerability management programs seek more efficient ways to triage and prioritize efforts. Smaller organizations struggle with understanding where to start and how to allocate limited resources," Goldstein wrote in a blog post.

"Fortunately, there is a path toward more efficient, automated, prioritized vulnerability management," the security expert added.

Goldstein explained that organizations now can use CISA's customized SSVC decision tree guide to prioritize a known vulnerability based on assessing five decision points: exploitation status, technical impact, automatability, mission prevalence and public well-being impact.

"Based on reasonable assumptions for each decision point, a vulnerability will be categorized either as Track, Track*, Attend, or Act. A description of each decision and value can be found on CISA's new SSVC webpage," Goldstein concluded.

The new guidelines come weeks after CISA issued a separate report outlining baseline cybersecurity performance goals (CPGs) for all critical infrastructure sectors.

What’s hot on Infosecurity Magazine?