CISA releases Stakeholder Specific Vulnerability Categorization (SSVC).

< 1 min read

November 13, 2022 – Published on The Cyberwire

Last Thursday, before the US Veterans Day holiday, the US Cybersecurity and Infrastructure Security Agency (CISA) released a guide on Stakeholder-Specific Vulnerability Categorization (SSVC), which it describes as “a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system.”

Developed in collaboration with Carnegie Mellon University’s Software Engineering Institute (SEI), the SSVC offers a method of assigning priorities in response to specific risks. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlined the agency’s goals in establishing the SSVC. It fits into CISA’s tripartite approach to improving vulnerability management:

“First, we must introduce greater automation into vulnerability management, including by expanding use of the Common Security Advisory Framework (CSAF)

“Second, we must make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange (VEX).”

“Third, we must help organizations more effectively prioritize vulnerability management resources through use of Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog.”

Kristen Bell, Director of Application Security Engineering at GuidePoint Security, sees CISA’s SSVC as offering something useful for application developers:

“Vulnerability Management is complex. In the AppSec world, we discuss the need for context behind the standard High, Medium, and Low severity levels. Building in a context related to risk and other criteria helps developers and other applicable technical teams understand how to prioritize their time. This system will help provide organizations with a consistent approach to understanding technical impact, the ability for successful exploitation, mitigation, and even public well-being impact.”

Services

Application Security

Strategic Solutions

Tactical Assessment

Managed Security

Services by Platform

Professional Services

Resources

Professional Services

Resources

Professional Services

Resources

Professional Services

Professional Services

Governance Services

Business Resiliency

Risk Services

Managed Security

Compliance Services

Professional Services

IAM Pillars

Managed Security

Proactive Services

Reactive Services

Managed Security

Advisory Services

Security Program Management

Third-Party Managed Services

"As A Service" Offerings

Security Program Management

Professional Services

Implementation & Administration

Managed Security

Professional Services

Resources

Professional Services

Resources

Professional Services

Platform-Specific Services

Managed Security

Robust Staffing Solutions

Managed Security

Threat Emulation

Tactical Assessment

Vulnerability Management

Managed Security

Technologies

Technology Solutions

Government Solutions

ABOUT GOVERNMENT SOLUTIONS

GSA Contract

DOD ESI Contract

SeaPort Next Generation (SeaPort-NxG)

Emerging Cyber Vendor Program

Company

ABOUT GUIDEPOINT SECURITY

Customers

GuidePoint Security Financial

GuidePoint Security University

GuidePoint Research and Intelligence Team (GRIT®)

Contact Us

Resources

Resource Library

Events

Blog

Featured Resources

CISA releases Stakeholder Specific Vulnerability Categorization (SSVC).

Related Articles