By Eric Goldstein, Executive Assistant Director for Cybersecurity
In the current risk environment, organizations of all sizes are challenged to manage the number and complexity of new vulnerabilities. Organizations with mature vulnerability management programs seek more efficient ways to triage and prioritize efforts. Smaller organizations struggle with understanding where to start and how to allocate limited resources. Fortunately, there is a path toward more efficient, automated, prioritized vulnerability management. Working with our partners across government and the private sector, we are excited to outline three critical steps to advance the vulnerability management ecosystem:
- First, we must introduce greater automation into vulnerability management, including by expanding use of the Common Security Advisory Framework (CSAF)
- Second, we must make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange (VEX)
- Third, we must help organizations more effectively prioritize vulnerability management resources through use of Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog
With these advances, described further below, we will make necessary progress in vulnerability management and reduce the window that our adversaries have to exploit American networks.
- Achieving Automation: Publish machine-readable security advisories based on the Common Security Advisory Framework (CSAF).
When a new vulnerability is identified, software vendors jump into action: understanding impacts to products, identifying remediations, and communicating to end users. But as we know, the clock is ticking: adversaries are often turning vulnerabilities to exploits within hours of initial public reports.
Software vendors work constantly to understand if their products are impacted by a new vulnerability. To meet this timeframe, our community needs a standardized approach for vendors to disclose security vulnerabilities to end users in an accelerated and automated way.
The CSAF, developed by the OASIS CSAF Technical Committee, is a standard for machine-readable security advisories. CSAF provides a standardized format for ingesting vulnerability advisory information and simplify triage and remediation processes for asset owners. By publishing security advisories using CSAF, vendors will dramatically reduce the time required for enterprises to understand organizational impact and drive timely remediation.
- Clarifying Impact: Use Vulnerability Exploitability eXchange (VEX) to communicate whether a product is affected by a vulnerability and enable prioritized vulnerability response
VEX allows a vendor to assert whether specific vulnerabilities affect a product; a VEX advisory can also indicate that a product is not affected by a vulnerability. Not all vulnerabilities are exploitable and put an organization at risk. To help reduce effort spent by users investigating vulnerabilities, vendors can issue a VEX advisory that states whether a product is or is not affected by a specific vulnerability in a machine readable, automated way. VEX is implemented as a profile in CSAF and is one of its more popular use cases, aligning with the existing work supporting machine-readable advisories.
The ultimate goal of VEX is to support greater automation across the vulnerability ecosystem, including disclosure, vulnerability tracking, and remediation. VEX data can also support more effective use of software bill of materials (SBOM) data. An SBOM is a machine-readable, comprehensive inventory of software components and dependencies. Machine-readable VEX documents support linking to an SBOM and specific SBOM components. While SBOM gives an organization information on where they are potentially at risk, a VEX document helps an organization find out where they are actually affected by known vulnerabilities, and if actions need to be taken to remediate based on exploitation status.
- Prioritized Based on Organizational Attributes: Use vulnerability management frameworks, such as Stakeholder-Specific Vulnerability Categorization (SSVC), which utilize exploitation status and other vulnerability data to help prioritize remediation efforts.
Last year, CISA issued Binding Operational Directive (BOD) 22-01, which directs federal civilian agencies to remediate KEVs and encourages all organizations to implement the KEV catalog into their vulnerability management framework. The first publication of KEV vulnerabilities derived from CISA's use of SSVC which occurred on November 3, 2021.
CISA encourages every organization to use a vulnerability management framework that considers a vulnerability’s exploitation status, such as SSVC.
To assist organizations with using SSVC, today, CISA released:
- An SSVC webpage introducing CISA's SSVC decision tree;
- The CISA SSVC Guide instructing how to use the scoring decision tree; and
- The CISA SSVC Calculator for evaluating how to prioritize vulnerability responses in an organization’s respective environment.
Organizations now have the option to use CISA’s customized SSVC decision tree guide to prioritize a known vulnerability based on an assessment of five decision points, which are (1) exploitation status, (2) technical impact, (3) automatability, (4) mission prevalence, and (5) public well-being impact. Based on reasonable assumptions for each decision point, a vulnerability will be categorized either as Track, Track*, Attend, or Act. A description of each decision and value can be found on CISA’s new SSVC webpage.
As we collectively work to advance vulnerability management practices, we want to hear from you. Please send any feedback or questions to Vulnerability@cisa.dhs.gov