CISA Official Proposes Methodology in Prioritizing Cyber Vulnerabilities
The Cybersecurity and Infrastructure Security Agency has released a set of documents to guide agencies and organizations in their software vulnerability remediation processes.
Eric Goldstein, executive assistant director of CISA, said in a blog post that a Stakeholder Specific Vulnerability Categorization should be used to decide which vulnerabilities should be prioritized. According to Goldstein, CISA used the SSVC methodology to develop its catalog of known exploitable vulnerabilities.
The documents were released amid an operational directive for government agencies to address vulnerability reports from security researchers, Nextgov reported Thursday.
SSVC allows users to spot and manage issues in the areas of exploitation status, technical impact, automatability, mission prevalence and impact on public wellbeing.
Goldstein said using SSVC is the third in a three-step process. According to the CISA official, the first step is to introduce automation into vulnerability management, and the second is to adopt a vulnerability exploitability exchange to make it easier for organizations to understand if a product is compromised.
Automation is done through the Common Security Advisory Framework, a type of machine-readable software that vendors can use to advise customers of vulnerabilities that exist in their code. VEX, meanwhile, is a document that vendors can use to explain how they have eliminated or mitigated threats or highlight the presence of such for patching purposes.
Tags: cybersecurity Cybersecurity and Infrastructure Security Agency Eric Goldstein Nextgov software vulnerability Stakeholder Specific Vulnerability Categorization