SSVC: Prioritization of vulnerability remediation according to CISA

Given that 2021 was a record year for new vulnerabilities published and threat actors became better at weaponizing vulnerabilities, timely and well-judged vulnerability prioritization and remediation are a goal all organizations should aspire to achieve.

The US Cybersecurity and Infrastructure Security Agency (CISA) regularly publishes lists of the most exploited vulnerabilities and keeps a regularly updated Known Exploited Vulnerabilities catalog everyone is welcome to use, but as helpful as these resources are, organizations usually stumble when it comes to deciding which security holes should be plugged first.

That’s why the agency has updated and is promoting the Stakeholder-Specific Vulnerability Categorization (SSVC) system they are using themselves.

A step towards better vulnerability management

Better vulnerability management is possible, says Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, and it involves:

  • Using automation – and the Common Security Advisory Framework (CSAF), which “provides a standardized format for ingesting vulnerability advisory information and simplify triage and remediation processes for asset owners.”
  • Clarifying the impact of vulnerabilities. This hinges on vendors issuing a Vulnerability Exploitability eXchange (VEX) advisory stating whether a product is or is not affected by a specific vulnerability in a machine readable, automated way.
  • Prioritizing vulnerabilities based on specific attributes (state of exploitation, technical impact, the potential for automated exploitation, impact on an org’s mission essential functions, impact on public well-being) with the help of the SSVC Calculator and the aforementioned SSVC system/guide.

vulnerability prioritization remediation

CISA’s decision tree for vulnerability prioritization (Source: CISA)

Vulnerabilities are thus categorized into four groups:

  • Track: Not for immediate remediation (just within standard update timelines), but should be tracked for changes in status
  • Track*: Requires closer monitoring for changes. Remediation: within standard update timelines.
  • Attend: Attention required from the organization’s internal supervisory team, who need to look for more info and may have to publish a notification either internally and/or externally. Remediation should be performed sooner than standard update timelines.
  • Act: Attention required from the organization’s internal supervisory team and leadership-level individuals. Needed: more info or assistance, notifications, internal group meeting to decide on response and actions. Remediation: as soon as possible.

“The CISA SSVC Calculator allows users to input decision values and navigate through the CISA SSVC tree model to the final overall decision for a vulnerability affecting their organization,” the agency explained.

Organizations whose mission spaces do not align with CISA’s decision tree can choose other decision tree models.)

CVSS or SSVC (or both)?

Derek McCarthy, Director, Field Engineering at NetRise, says that everyone in the cybersecurity industry understands that CVSS scores can’t be blindly (or exclusively) used to prioritize vulnerability remediation.

“Context matters (a lot), and SSVC has done incredible work enumerating all the factors that should be involved in determining how to deal with vulnerabilities in any given setting. CISA’s work in extending that should prove to be valuable in boiling up some of the more pertinent details to allow organizations to more easily digest and implement vulnerability management policies and procedures that reflect the goals of the SSVC framework.”

Don't miss