CISA Recommends the Decision Tree Methodology for Evaluating and Remediating Software Vulnerabilities

CISA has released a decision tree methodology that healthcare companies can adopt to help them create a competent and efficient vulnerability management program.

Why is an Effective Patch Management Program Important?

With regard to vulnerability management, the rule of thumb is to patch immediately. As soon as software updates and patches are available, they must be applied to stop bad actors from taking advantage of the vulnerabilities. However, immediately patching all vulnerabilities can be a difficult task because of the staggering number of patches and software program updates that are being launched and because vulnerabilities aren’t all the same. A few are a lot more prone to be taken advantage of compared to others and the effect of successful vulnerabilities exploitation can differ substantially. IT teams must give prior importance to patching and handle first the critical and actively exploited vulnerabilities.

Healthcare companies with aged vulnerability management programs tend to have effective processes for vulnerability control. They will determine the seriousness of every vulnerability, the effect of vulnerability exploitation, whether or not the vulnerability is actively exploited or whether a proof-of-concept(PoC) exploit is available in the public domain, and consequently establish the probability of a vulnerability being taken advantage of. After evaluating every vulnerability, they can then properly prioritize patching. Small healthcare companies may have trouble with evaluating and prioritizing patching and the effects of doing something wrong can be serious. Essential updates may be overlooked, which is inviting hackers.

What is the Decision Tree Method for Evaluating and Remediating Software Vulnerabilities?

The Cybersecurity and Infrastructure Security Agency (CISA) launched guidance to assist companies in prioritizing patching and discussed a Stakeholder-Specific Vulnerability Categorization (SSVC) vulnerability management methodology they can use to make sure vulnerabilities are correctly evaluated, enabling the prioritization of remediation efforts.

CISA Executive Assistant Director (EAD) Eric Goldstein discussed the following three key steps required to enhance the vulnerability management ecosystem:

1) To use automation in vulnerability control.

2) To make it simpler for companies to know if the given product is affected by a vulnerability by means of the prevalent use of the Vulnerability Exploitability eXchange (VEX).

3) To assist companies more efficiently prioritize vulnerability control resources by using SSVC, which includes prioritizing vulnerabilities according to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

CISA and the Software Engineering Institute (SEI) at Carnegie Mellon University developed the SSVC system. CISA developed its own customized version of the SSVC for evaluating and managing vulnerabilities that impact government and critical infrastructure companies.

Companies can use the SSVC to evaluate vulnerabilities according to five values:

  • Exploitation status (is it presently being exploited)
  • Technical impact (how critical is the vulnerability)
  • If the vulnerability is automatable
  • Mission frequency
  • Effect on public well-being

Vulnerabilities could then be classified into one of four groups:

  • Track – No instant action is needed, however, the vulnerability must be monitored and re-evaluated when more information is available, with the vulnerability kept up to date within regular time periods.
  • Track* – No instant action is needed, but there are characteristics needing closer tracking for changes. Remediation of the vulnerabilities must be done within regular time periods.
  • Attend – The vulnerability demands attention from the company’s inner, supervisory-level persons. Required actions consist of asking for support or advice about the vulnerability and possibly posting a notification externally and/or internally. The vulnerability must be remediated earlier than regular update time frames.
  • Act – The company’s internal, supervisory-level and leadership-level personnel must look into the vulnerability. Essential actions include asking for support or details concerning the vulnerability and posting a notification either externally and/or internally. Internal groups will meet to find out the overall answer and then perform agreed-upon steps, and remediate the vulnerability immediately.

CISA suggests utilizing the SVCC together with the Vulnerability Exploitability eXchange (VEX), the Common Security Advisory Framework (CSAF), and the Known Exploited Vulnerabilities (KEV) Catalog. If these are all employed together, the exploitation of networks by window cyber threat actors will be considerably minimized.

Read the SVCC and the guide on usage here.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at