CISA releases Stakeholder Specific Vulnerability Categorization (SSVC).

Last Thursday, before the US Veterans Day holiday, the US Cybersecurity and Infrastructure Security Agency (CISA) released a guide on Stakeholder-Specific Vulnerability Categorization (SSVC), which it describes as "a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system."

CISA's goals in promulgating the SSVC.

Developed in collaboration with Carnegie Mellon University's Software Engineering Institute (SEI), the SSVC offers a method of assigning priorities in response to specific risks. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlined the agency's goals in establishing the SSVC. It fits into CISA's tripartite approach to improving vulnerability management:

"First, we must introduce greater automation into vulnerability management, including by expanding use of the Common Security Advisory Framework (CSAF)

"Second, we must make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange (VEX)

"Third, we must help organizations more effectively prioritize vulnerability management resources through use of Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog

How CISA will use the SSVC.

CISA will assess vulnerabilities and assign them one of four actions.

• "Track: The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines. 
• "Track*: The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines. 
• "Attend: The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines. 
• "Act: The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." 

Five values determine where an an exploits lands in that decision tree:

1. "Exploitation status,"  
2. "Technical impact,"  
3. "Automatable" (that is, does an exploit lend itself to automation), 
4. "Mission prevalence" (that is, does the vulnerability affect mission-performance, and, if it does, how directly) and
5. "Public well-being impact." 

Industry comments on SSVC.

We received comment from two industry experts on the newly recommended approach. Kristen Bell, Director of Application Security Engineering at GuidePoint Security, sees CISA's SSVC as offering something useful for application developers:

“Vulnerability Management is complex. In the AppSec world, we discuss the need for context behind the standard High, Medium, and Low severity levels. Building in a context related to risk and other criteria helps developers and other applicable technical teams understand how to prioritize their time. This system will help provide organizations with a consistent approach to understanding technical impact, the ability for successful exploitation, mitigation, and even public well-being impact.”

Derek McCarthy, Director, Field Engineering at NetRise, sees the new approach as offering welcome context to vulnerability scoring:

“Everyone in the industry understands at this point that we can't just blindly use CVSS scores to prioritize vulnerabilities. Context matters (a lot), and SSVC has done incredible work enumerating all the factors that should be involved in determining how to deal with vulnerabilities in any given setting. CISA's work in extending that should prove to be valuable in boiling up some of the more pertinent details to allow organizations to more easily digest and implement vulnerability management policies and procedures that reflect the goals of the SSVC framework.”