The Cybersecurity and Infrastructure Security Agency is working with government and private sector entities to advance and automate vulnerability management in all kinds of U.S. organizations, said Eric Goldstein, CISA’s executive assistant director for cybersecurity.
In a blog post published Monday, Goldstein mentioned the Common Security Advisory Framework, the Vulnerability Exploitability eXchange security advisory, and Stakeholder Specific Vulnerability Categorization system as some elements of its strategy to help improve defenses against software and hardware weaknesses.
Goldstein recommended the expanded use of CSAF, a standard that enables machine-readable representation of information in security advisories. He said the framework will not only automate but also significantly shorten the time it takes to understand the impact of a newly identified vulnerability, formulate remediation processes and communicate the flaw to end users.
VEX, another form of security advisory, can detect if a particular product is affected by a system weakness. Goldstein suggested that vendors can help streamline vulnerability investigations by issuing VEX advisories that indicate whether an organization is at risk.
CISA is encouraging organizations to use SSVC as a guide for prioritizing a known system flaw and its corresponding remediation procedure. The agency created an SSVC webpage containing a decision tree, published a guide and set up a calculator to assist institutions in prioritization.