The Cybersecurity and Infrastructure Security Agency (CISA) published its guide on Stakeholder-Specific Vulnerability Categorization (SSVC), a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system.

According to Executive Assistant Director (EAD) Eric Goldstein, implementing a methodology such as SSVC is critical to advancing the vulnerability management ecosystem. In a blog post, EAD Goldstein outlines three crucial steps to advance the vulnerability management ecosystem:

  1. Introduce greater automation into vulnerability management by expanding the Common Security Advisory Framework (CSAF). CSAF is a standard for machine-readable security advisories. CSAF provides a standardized format for ingesting vulnerability advisory information and simplifies triage and remediation processes for asset owners. By publishing security advisories using CSAF, vendors will dramatically reduce the time required for enterprises to understand the organizational impact and drive timely remediation.
  2. Make it easier for organizations to understand whether a vulnerability impacts a given product through the widespread adoption of Vulnerability Exploitability eXchange (VEX). VEX allows a vendor to assert whether specific vulnerabilities affect a product; a VEX advisory can also indicate that a product is not affected by a vulnerability. 
  3. Help organizations prioritize vulnerability management resources more effectively through Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

With these advances, EAD Goldstein says progress will be made in vulnerability management and, in turn, reduce the window that adversaries have to exploit U.S. networks.

Mike Parkin, Senior Technical Engineer at Vulcan Cyber, says, “Risk management can be a complicated issue in many organizations, and the CISA guidance does help. Whether it goes far enough remains to be seen. It’s certainly a step in the right direction. This guidance addresses prioritization, but because of its focus, it misses some real-world issues that can influence how vulnerabilities are handled in the field. For example, having issues with cross-team communication that deals with “who fixes what” in an organization’s environment. That’s why it can be very helpful to deploy a risk management platform that can handle getting things prioritized across internal silos.”

To further assist organizations with using SSVC, CISA also released the following: 

  • An SSVC webpage introducing CISA’s SSVC decision tree;
  • The CISA SSVC Guide instructs how to use the scoring decision tree; and
  • The CISA SSVC Calculator for evaluating how to prioritize vulnerability responses in an organization’s respective environment.

Organizations can use CISA’s customized SSVC decision tree guide to prioritize a known vulnerability based on an assessment of five decision points, which are (1) exploitation status, (2) technical impact, (3) automatability, (4) mission prevalence, and (5) public well-being impact. Based on reasonable assumptions for each decision point, a vulnerability will be categorized as Track, Track*, Attend, or Act. A description of each decision and value can be found on CISA’s new SSVC webpage

Andrew Barratt, Vice President at Coalfire, says the SSVC is more guidance to focus decision making, “whereas the CVE values will still play an important role in the process. The decision tree helps with categorizing and prioritizing action and will allow for multiple vulnerability impacts on each other to be considered as part of an attack chain.”

The guidance gives an organizational framework that should help with priorities, particularly during intense commercial periods such as the holidays when only a finite number of things can be done, Barratt adds. “This can help prioritize the most dangerous vulnerabilities when considering how they may be leveraged and serve as a tool to organize the information such that it is easily revisited. I can imagine vendors in the vulnerability management space adopting this alongside the MITRE ATT&CK so that management tools can help.”

For more information, visit