Stakeholder-Specific Vulnerability Categorization (SSVC)
Carnegie Mellon University's Software Engineering Institute (SEI), in collaboration with CISA, created the Stakeholder-Specific Vulnerability Categorization (SSVC) system in 2019 to provide the cyber community a vulnerability analysis methodology that accounts for a vulnerability's exploitation status, impacts to safety, and prevalence of the affected product in a singular system. CISA worked with SEI in 2020 to develop its own customized SSVC decision tree to examine vulnerabilities relevant to the United States government (USG), as well as state, local, tribal, and territorial (SLTT) governments, and critical infrastructure entities. Implementing SSVC has allowed CISA to better prioritize its vulnerability response and vulnerability messaging to the public.
Stakeholder-Specific Vulnerability Categorization (SSVC) On Demand Training
The On Demand Training instructs analysts on triaging vulnerabilities using a Stakeholder-Specific Vulnerability Categorization (SSVC) through collecting evidence, with examples of analysts in different stakeholder roles. Furthermore, the SSVC is a vulnerability prioritization methodology that helps an analyst decide on vulnerability response actions consistent with priorities agreed with the analyst’s leadership.
How CISA Uses SSVC
CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions:
- Track: The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.
- Track*: The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines.
- Attend: The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.
- Act: The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.
The CISA SSVC tree determines the decisions of Track, Track*, Attend, and Act based on five values:
- Exploitation status
- Technical impact
- Mission prevalence
- Public well-being impact
To learn more, see the CISA SSVC Guide (pdf, 948 kb).
CISA's SSVC Calculator
The CISA SSVC Calculator allows users to input decision values and navigate through the CISA SSVC tree model to the final overall decision for a vulnerability affecting their organization. The SSVC Calculator allows users to export the data as .PDF or JSON.
Additional SSVC Decision Tree Models
Organizations whose mission spaces need to evaluate the effect of vulnerabilities in at least one external organization may find the CISA SSVC decision tree model helpful. The CISA SSVC decision tree model closely resembles the standard SSVC “Coordinator” tree. For organizations whose mission spaces do not align with CISA’s decision tree, the SEI whitepaper Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0) details other decision tree models that may better align to their mission space.
For CISA SSVC questions, email firstname.lastname@example.org and include "SSVC" in the subject line.
For general SSVC questions, contact SEI on GitHub. If unable to access the above GitHub site, use this contact form instead.