CISA Vulnerability Management Transformation

The US. CISA released a set of documents to guide prioritization of software vulnerability remediation by agencies and other organizations. But use of the guidance is largely contingent on vendors providing the information necessary to conduct such a process.

In a blog post on “transforming the vulnerability management landscape,” CISA Executive Assistant Director Eric Goldstein encouraged enterprises to use “Stakeholder Specific Vulnerability Categorization”—a process first articulated by CISA with the Software Engineering institute at Carnegie Mellon University—for deciding which system bugs they should fix first.   

CISA used the SSVC methodology in coming up with its catalog of hundreds of known exploitable vulnerabilities, which agencies are also required under a different binding operational directive to reference when applying a framework for addressing weaknesses they already know are in their enterprises.

But not all software vulnerabilities are readily known—or logged as a common vulnerability and exposure, or CVE—on public databases. And in Goldstein’s vision for advancing vulnerability management practices, use of the SSVC prioritization methodology is third in a three-step process.

1. Introduce greater automation into vulnerability management by expanding the Common Security Advisory Framework (CSAF). CSAF is a standard for machine-readable security advisories. CSAF provides a standardized format for ingesting vulnerability advisory information and simplifies triage and remediation processes for asset owners. By publishing security advisories using CSAF, vendors will dramatically reduce the time required for enterprises to understand the organizational impact and drive timely remediation.
2. Make it easier for organizations to understand whether a vulnerability impacts a given product through the widespread adoption of Vulnerability Exploitability eXchange (VEX). VEX allows a vendor to assert whether specific vulnerabilities affect a product; a VEX advisory can also indicate that a product is not affected by a vulnerability. 
3. Help organizations prioritize vulnerability management resources more effectively through Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

CISA has said it is working through the General Services Administration’s Federal Risk and Authorization Management Program to get cloud services to do their part in fixing vulnerabilities, but that it is still the agency’s responsibility to communicate directly with vendors when bugs are identified in their systems.