New CISA guidance seeks to assist in vulnerability patching prioritization

New Stakeholder-Specific Vulnerability Categorization guidance has been unveiled by the Cybersecurity and Infrastructure Security Agency in an effort to bolster the prioritization of flaw patching, according to SecurityWeek. CISA's SSVC offers a decision tree model, which facilitates the classification of flaws into four categories Track, Track*, Attend, and Act with the categories based on the exploitation status, technical effect, mission-essential function impact, and potential system compromise impact. Such guidance should be used alongside the Known Exploited Vulnerabilities Catalog, Vulnerability Exploitability eXchange, Common Security Advisory Framework, and machine-readable security advisories, said CISA. "Context matters (a lot), and SSVC has done incredible work enumerating all the factors that should be involved in determining how to deal with vulnerabilities in any given setting. CISA's work in extending that should prove to be valuable in boiling up some of the more pertinent details to allow organizations to more easily digest and implement vulnerability management policies and procedures that reflect the goals of the SSVC framework," said NetRise Director of Field Engineering Derek McCarthy.