CISA Includes OASIS Common Security Advisory Framework for Systems, Devices

The Cybersecurity and Infrastructure Security Agency has added the OASIS Common Security Advisory Framework version 2.0 standard to its advisories for industrial control systems, operational technologies and medical devices.

According to the agency, OASIS CSAF “supports the creation, update and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.” The inclusion of OASIS CSAF V2.0 is part of CISA’s efforts to advance the United States’ vulnerability management ecosystem, which includes three steps.

The first step of the vulnerability management ecosystem improvement is to expand the use of the CSAF, followed by the adoption of the Vulnerability Exploitability Exchange and the use of Stakeholder Specific Vulnerability Categorization, CISA said.

The adoption of the OASIS CSAF is part of the agency’s efforts to enhance the cybersecurity posture for both businesses and government agencies.

In mid-September, CISA released a three-year roadmap to help agencies secure open-source software. The roadmap highlights the benefits and risks associated with open-source software, emphasizes CISA’s efforts to understand the technology and promotes public-private partnerships in addressing dangers.

In mid-July, the agency released the “Free Tools for Cloud Environments” fact sheet, which identifies tools businesses can use to protect critical assets as they transition into the cloud.