Software Engineering Institute

Most organizations struggle to prioritize responses to the tens of thousands of cyber vulnerabilities discovered each year. In a recent push to transform the vulnerability management landscape, the Cybersecurity and Infrastructure Security Agency (CISA) adapted and promoted the SEI’s Stakeholder Specific Vulnerability Categorization (SSVC) approach.

The SEI applied nearly four decades of experience researching vulnerability response when it developed SSVC in 2019. This conceptual tool for prioritizing vulnerabilities emphasizes stakeholder perspectives, which are often missing from vulnerability data. Using SSVC, vulnerability analysts gather human input to incorporate an organization’s particular attributes and values rather than rely on stakeholder-agnostic indicators such as the long-standing Common Vulnerability Scoring System (CVSS) base score.

SSVC captures risk owners’ perspectives on vulnerabilities before analysts address them, enabling analysts to process more vulnerabilities, a benefit that drew CISA’s attention in 2020. The SEI and CISA developed a custom SSVC decision tree to help CISA better support its U.S. federal civilian executive branch; state, local, tribal, and territorial governments; and critical infrastructure stakeholders. These organizations can also use SSVC themselves to efficiently decide the best responses that align with stakeholder values and justify decisions that affect other government bodies.

In CISA’s SSVC decision tree, an organization leverages external vulnerability data and knowledge of its own environment to evaluate a series of decision points about a given vulnerability: exploitation status, technical impact, automatability, mission prevalence, and impact on public well-being. The answers lead to a vulnerability prioritization recommendation—track, closely monitor, attend to, or act on—that considers the organization’s risk appetite and other attributes.