Transforming Vulnerability Management: CISA Adds OASIS CSAF 2.0 Standard to ICS Advisories


By Lindsey Cerkovnik, Chief of Vulnerability Response and Coordination, and Daniel Larson, Justin Murphy, and Brandon Tarr

In our pursuit to “transform the vulnerability management landscape,” CISA is excited to announce that our security advisories for Industrial Control Systems (ICS), Operational Technology (OT), and Medical Devices now include the OASIS Common Security Advisory Framework (CSAF) Version 2.0 standard.

In the current risk environment, organizations are challenged to manage the growing number and complexity of new vulnerabilities. A critical step in helping organizations achieve better efficiency in triaging and prioritizing vulnerability management efforts is introducing greater automation into the ecosystem. CSAF supports automation of the production, distribution, and consumption of security advisories — reducing the time between when vulnerabilities are disclosed and when businesses remediate them and enabling future tooling for automated vulnerability information sharing.

The CSAF standard is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.”

CISA now provides machine-readable CSAF documents alongside every new ICS Advisory and those dating back to 2017. Our ICS CSAF advisories will be located within the human-readable advisories themselves, or directly via CISA’s GitHub CSAF repository. This shift to CSAF format will also drive other vulnerability response and coordination initiatives at CISA to automate and streamline the drafting and publication process for these ever increasing and critical ICS Advisories.

CISA urges software and hardware vendors to adopt CSAF for their security advisories. On OASIS CSAF 2.0 standard webpage, vendors will find more information and background about this framework. A suite of tools for consumers and producers using CSAF is available on OASIS’ CSAF Open Source Tools GitHub.    

By providing machine-readable advisories using the CSAF 2.0 standard, vendors and providers of software and hardware can join CISA in taking proactive steps to enable automation and future tooling, driving timely remediation. 

For more information on CISA’s coordinated vulnerability disclosure and industrial control systems efforts, visit Industrial Control Systems.