search

CERTCC / SSVC

Stakeholder-Specific Vulnerability Categorization
https://certcc.github.io/SSVC/
Other
127 stars 31 forks source link

High Value Asset (HVA) designation as possible input/automation support #210

Closed zmanion closed 11 months ago

zmanion commented 1 year ago

Consider HVA designation as an input to Mission Prevalence. HVA applies to a Department or Agency (or similar organization), not to a component affected by a vulnerability, so there may need to be some additional mapping that an HVA has mission-critical dependency on a vulnerable component.

Also this may be moot since Mission Prevalence is assessed regarless of HVA status.

https://www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-SecureHighValueAssets_S508C.pdf

https://www.cio.gov/handbook/policies-initiatives/high-value-assets/

j--- commented 1 year ago

Can you help me understand the suggestion a bit more? Why would this go in mission prevalence rather than mission impact? Mission impact is the place where a deployer of a system would assess the vul's impact on their mission, right? It would probably make sense to call this out there. Or are you suggesting that the CSIRT-focused "mission prevalence" option for essential be re-defined as HVA?

zmanion commented 1 year ago

I was primarily considering just the CISA tree, which uses MEF impact as a way to determine Mission Prevalence.

Maybe there is a story like this: Part of determining HVA status involves identifying information systems and dependencies that support (affect) MEF. I would not typically expect to be assessing SSVC at the "information system" level, but a lower component level, e.g., mission-essential-web-app uses Struts. Evaluating SSVC for a Struts vulnerability would light up the MEF association and help more automatically determine Mission Prevalence.

Automating this would require more than the basic HVA requirement at the information system level, but maybe as part of that determination, extend it to include critical components or dependencies. Basically, decide and cache this knowledge ahead of time. HVA does not presently require component-level detail IIUC.

I think the same logic could apply to Mission Impact, the summary is, if someone is going to bother with HVA designation, collect some component information also to better enable SSVC automation.