creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 23:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/triaging-vulnerabilities-with-ssvc-framework/references/standards.md
T

65 lines
3.2 KiB
Markdown
Raw Blame History

# Standards and References - SSVC Vulnerability Triage
## Primary Standards
### CISA SSVC Framework
- **Source**: Cybersecurity and Infrastructure Security Agency (CISA)
- **URL**: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
- **Version**: SSVC v2.0 (2022 revision by CISA with SEI)
- **Purpose**: Provides a decision-tree methodology for vulnerability prioritization based on five decision points specific to the stakeholder's context
### CERT/CC SSVC Original Research
- **Source**: Carnegie Mellon University Software Engineering Institute
- **URL**: https://certcc.github.io/SSVC/
- **Publication**: "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization" (2019)
- **Authors**: Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, Deana Shick
- **DOI**: https://doi.org/10.1184/R1/12124386
### CVSS v3.1 and v4.0
- **Source**: Forum of Incident Response and Security Teams (FIRST)
- **URL**: https://www.first.org/cvss/
- **CVSS v3.1 Specification**: https://www.first.org/cvss/v3.1/specification-document
- **CVSS v4.0 Specification**: https://www.first.org/cvss/v4.0/specification-document
- **Relevance**: SSVC complements CVSS by adding contextual decision points beyond base score severity
### EPSS - Exploit Prediction Scoring System
- **Source**: FIRST EPSS Special Interest Group
- **URL**: https://www.first.org/epss/
- **API Endpoint**: https://api.first.org/data/v1/epss
- **Model Documentation**: https://www.first.org/epss/model
- **Relevance**: EPSS probability scores inform the exploitation status decision point in SSVC
## Regulatory and Compliance Context
### CISA Binding Operational Directive 22-01
- **Title**: Reducing the Significant Risk of Known Exploited Vulnerabilities
- **URL**: https://www.cisa.gov/binding-operational-directive-22-01
- **Relevance**: Mandates federal agencies to remediate KEV-listed vulnerabilities within specified timeframes; SSVC aligns remediation priorities with BOD 22-01 requirements
### NIST SP 800-40 Rev 4
- **Title**: Guide to Enterprise Patch Management Planning
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
- **Relevance**: Provides organizational context for patch management decisions that SSVC informs
### NIST Cybersecurity Framework (CSF) 2.0
- **Function**: IDENTIFY (ID.RA - Risk Assessment)
- **URL**: https://www.nist.gov/cyberframework
- **Relevance**: SSVC directly supports the risk assessment category for vulnerability prioritization
## Data Sources
### CISA Known Exploited Vulnerabilities (KEV) Catalog
- **URL**: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- **JSON Feed**: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- **Update Frequency**: Updated as new exploited vulnerabilities are confirmed
### National Vulnerability Database (NVD)
- **URL**: https://nvd.nist.gov/
- **API v2**: https://services.nvd.nist.gov/rest/json/cves/2.0
- **Relevance**: Provides CVSS scores and vulnerability details used in SSVC decision points
### MITRE CVE Program
- **URL**: https://cve.mitre.org/
- **CVE List**: https://www.cve.org/
- **Relevance**: CVE identifiers are the primary key for linking vulnerability data across SSVC decision points
Reference in New Issue View Git Blame Copy Permalink