Opus CISA SSVC
Overview
The SSVC (Stakeholder-Specific Vulnerability Categorization) feature in Opus Security helps organizations prioritize vulnerability remediation based on the SSVC CISA framework. This data-driven approach considers multiple factors to provide clear, actionable decisions about vulnerability prioritization.
Benefits
- Automated vulnerability prioritization based on multiple contextual factors
- Clear, action-oriented decisions (Act, Attend, Track*, Track)
- Risk-aware prioritization considering business impact and technical factors
- Reduced Mean Time To Remediate (MTTR) through focused efforts
- Alignment with CISA's recommended vulnerability management practices
How SSVC Works
The SSVC feature analyzes vulnerabilities across four key dimensions:
Exploitation Status
Assesses whether the vulnerability is actively being exploited or has the potential to be exploited in the wild.
- None: No evidence of active exploitation or public proof of concept
- POC: Public proof of concept exists or well-known exploitation method
- Active: Confirmed exploitation in the wild
Automatable
Evaluates the likelihood of the vulnerability being exploited through automated tools, increasing the risk of widespread impact.
- Yes: Exploitation can be reliably automated (steps 1-4 of kill chain)
- No: Exploitation cannot be reliably automated
Technical Impact
Measures the potential harm or disruption a successful exploitation could cause to the affected system or organization.
- Total: Vulnerability enables total control or complete information disclosure
- Partial: Limited control or information exposure
Mission & Well-Being Impact
Combines two factors:
Mission Prevalence
The extent to which a disruption impacts Mission Essential Functions across relevant entities, affecting their ability to accomplish core organizational objectives during crises or operational interruptions.
- Minimal: Component is present but not critical; neither supports nor is essential to Mission Essential Functions
- Support: Component plays a supportive role for MEFs across multiple entities, enhancing their effectiveness without being directly essential
- Essential: Component is integral to at least one entity's MEF; its failure could potentially compromise the overall mission
Public Well-Being Impact
The extent to which a system compromise affects the physical, social, emotional, and psychological health of individuals and communities, as defined by the CDC's comprehensive well-being framework
- Minimal: Effects are negligible across all aspects, falling below thresholds for material harm. No significant physical, environmental, financial, or psychological consequences are observed.
- Material: Substantial but not catastrophic effects on physical, environmental, financial, or psychological well-being, such as user injuries, occupational hazards, property damage, potential bankruptcies, or widespread emotional distress requiring professional intervention
- Irreversible: Severe, potentially unrecoverable consequences, including multiple fatalities, destruction of cyber-physical systems, immediate public health threats, ecosystem collapse, or destabilization of social systems like elections or financial grids
SSVC Decisions
Based on these factors, SSVC provides one of four decisions:
- Act: Requires leadership involvement, coordination, and swift action; remediate immediately.
- Attend: Requires supervisory attention and possible notifications; remediate faster than standard updates.
- Track*: Monitor closely for changes; remediate during standard updates.
- Track: No immediate action needed; monitor and remediate during standard updates.
How SSVC Values Are Determined in Opus
| Factor | Value | Determination Criteria |
|---|---|---|
| Exploitation Status | None | No exploits indicator or Is Discussed indication exists |
| POC | Proof of Concept indication exists | |
| Active | Exploited In the Wild indication exists | |
| Automatable | Yes | CVSS Vector shows Network Execution Vector (AV:N) AND No User Interaction required (UI:N), or Penetration Testing Framework indication exists |
| No | CVSS Vector shows Local Execution Vector (NOT AV:N), or CVSS Vector shows User Interaction required (NOT UI:N) | |
| Technical Impact | Total | CVSS Vector shows both high confidentiality and integrity impact (C:H AND I:H) |
| Partial | CVSS Vector shows non-high confidentiality impact (NOT C:H), or CVSS Vector shows non-high integrity impact (NOT I:H) | |
| Mission Prevalence | Minimal | Development or Testing environment |
| Support | Staging, Mixed, or Code Environment | |
| Essential | Production Environment | |
| Public Well-Being Impact | Minimal | Low Business Impact or Medium Business Impact |
| Material | High Business Impact | |
| Irreversible | Critical Infrastructure |
Mission & Well-Being value calculation:
| Factor | Value | Determination Criteria |
|---|---|---|
| Mission and Well-Being Impact | Low | Public Well-Being Impact is Minimal AND Mission Prevalence is Minimal |
| Medium | Public Well-Being Impact is Minimal AND Mission Prevalence is Support; OR Public Well-Being Impact is Material AND Mission Prevalence is Minimal or Support | |
| High | Public Well-Being Impact is Minimal AND Mission Prevalence is Essential; OR Public Well-Being Impact is Material AND Mission Prevalence is Essential; OR Public Well-Being Impact is Irreversible AND Mission Prevalence is Minimal, Support, or Essential |
Using SSVC in Opus
Viewing SSVC Decisions
- Navigate to the Risk View
- Click on any vulnerability to see a detailed analysis
- If an SSVC recommendation is available, it will appear in the risk score breakdown modal
-
Each Factor displays its corresponding value directly beneath the factor name. For detailed context about a factor's value, hover your cursor over the associated information icon, which will reveal an explanatory tooltip.
-
To access detailed explanations for each decision factor without referencing the full documentation, click on the SSVC Decision Points located in the bottom right of the recommendation section.
Filtering by SSVC
- Use the filter options in Risk View
- Filter by:
- Intelligence -> SSVC Decision (Act, Attend, Track*, Track)
- Intelligence -> Risk Level (Minimal, Material, Irreversible)
Best Practices
- Prioritize "Act" Decisions: These vulnerabilities require immediate attention
- Monitor "Attend" Items: Create regular review cycles for these vulnerabilities
- Review Track* Items: Set up monitoring for potential status changes
- Use Automation Rules: Leverage automation rules based on SSVC Decision and Risk Level filters
- Regular Assessment: Review SSVC distributions regularly to track remediation progress
FAQ
Q: How often is SSVC data updated?
A: SSVC calculations are performed automatically during regular data refreshes and scans.
Q: Can I customize SSVC parameters?
A: Currently no, SSVC mapping is strict. We are planning to add a mapping customization feature in the future.
Q: How does SSVC relate to CVSS scores?
A: While CVSS focuses on technical severity, SSVC provides context-aware decisions considering business impact and exploitation status.
Q: What if some SSVC inputs are missing?
A: The system uses conservative default values when inputs are unavailable to ensure security.
CISA Official Documentation
For official CISA SSVC documentation and guidelines, please check the following link: CISA SSVC Official Documentation
Updated about 1 month ago