CISA Releases SSVC Guide to Help Companies Prioritize Vulnerabilities

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

The Cybersecurity and Infrastructure Security Agency (CISA) has published a new guide on Stakeholder-Specific Vulnerability Categorization (SSVC).

This vulnerability management methodology is designed to assess vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts on safety and prevalence of the affected product in a singular system.

SSVC was first created by CISA in collaboration with Carnegie Mellon University’s Software Engineering Institute (SEI) in 2019.

In 2020, CISA then worked with SEI to develop its customized SSVC decision tree to examine vulnerabilities relevant to the United States government (USG), as well as state, local, tribal and territorial (SLTT) governments and critical infrastructure entities.

According to the latest iteration of SSVC, its new implementation has allowed CISA to better prioritize its vulnerability response and vulnerability messaging to the public.

Writing about the new guide, CISA’s executive assistant director Eric Goldstein said that organizations of all sizes are challenged to manage the number and complexity of new vulnerabilities.

“Organizations with mature vulnerability management programs seek more efficient ways to triage and prioritize efforts. Smaller organizations struggle with understanding where to start and how to allocate limited resources,” Goldstein wrote in a blog post.

“Fortunately, there is a path toward more efficient, automated, prioritized vulnerability management,” the security expert added.

Goldstein explained that organizations now can use CISA’s customized SSVC decision tree guide to prioritize a known vulnerability based on assessing five decision points: exploitation status, technical impact, automatability, mission prevalence and public well-being impact.

“Based on reasonable assumptions for each decision point, a vulnerability will be categorized either as Track, Track*, Attend, or Act. A description of each decision and value can be found on CISA’s new SSVC webpage,” Goldstein concluded.

The new guidelines come weeks after CISA issued a separate report outlining baseline cybersecurity performance goals (CPGs) for all critical infrastructure sectors.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

BlackTech Targets Tech, Research, and Gov Sectors New ‘Deuterbear’ Tool
The ABCs of how online ads can impact children’s well-being
Quishing Attacks Jump Tenfold, Attachment Payloads Halve
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack
Bitcoin scams, hacks and heists – and how to avoid them

Leave a Reply

Your email address will not be published. Required fields are marked *