"CISA Issues Vulnerability-Management Tools Dependent on Industry Action"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has released a set of documents to help agencies and other organizations prioritize software vulnerability remediation. However, the use of the guidance is largely dependent on vendors providing the information required to carry out such a process. CISA Executive Assistant Director Eric Goldstein encourages businesses to use "Stakeholder Specific Vulnerability Categorization (SSVC)," a process first articulated by CISA in collaboration with the Software Engineering Institute at Carnegie Mellon University (CMU), to determine which system bugs should be addressed first. Under a May 2021 executive order on improving national cybersecurity, agencies are under a Binding Operational Directive (BOD) to receive and address vulnerability reports from security researchers within specific timelines, and they are deciding what evidence they might require from software vendors attesting to secure development practices. CISA used the SSVC methodology to create its catalog of hundreds of known exploitable vulnerabilities, which agencies are also required to reference when applying a framework for addressing weaknesses they already know exist in their enterprises, according to Goldstein. However, not all software flaws are widely known or recorded as a Common Vulnerability and Exposure (CVE). In Goldstein's vision for improving vulnerability management practices, the SSVC prioritization methodology is the third step in a three-step process. First, greater automation in vulnerability management is required, including expanding the use of the Common Security Advisory Framework (CSAF). Second, widespread Vulnerability Exploitability Exchange (VEX) should make it easier for organizations to determine whether a given product is affected by a vulnerability. This article continues to discuss CISA's release of documents aimed at guiding the prioritization of software vulnerability remediation by agencies and other organizations.

NextGov reports "CISA Issues Vulnerability-Management Tools Dependent on Industry Action"