Stakeholder-Specific Vulnerability Categorization (SSVC)

<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js"> <head> <meta charset="utf-8" /> <meta name="description" content="The Stakeholder-Specific Vulnerability Categorization (SSVC) provides the cyber community a vulnerability analysis methodology that accounts for a" /> <link rel="canonical" href="https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc" /> <meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc" /> <meta property="og:title" content="Stakeholder-Specific Vulnerability Categorization (SSVC) | CISA" /> <meta property="og:description" content="The Stakeholder-Specific Vulnerability Categorization (SSVC) provides the cyber community a vulnerability analysis methodology that accounts for a vulnerability's exploitation status, impacts to safety, and prevalence of the affected product in a singular system." /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" /> <title>Stakeholder-Specific Vulnerability Categorization (SSVC) | CISA</title> <link rel="stylesheet" media="all" href="/core/misc/components/progress.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/misc/components/ajax-progress.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/filter/css/filter.caption.css?su5go0" /> <link rel="stylesheet" media="all" href="/core/modules/media/css/filter.caption.css?su5go0" /> <link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?su5go0" /> <link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/accordion.frontend.css?su5go0" /> <link rel="stylesheet" media="all" href="/modules/contrib/extlink/css/extlink.css?su5go0" /> <link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?su5go0" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?su5go0" /> <link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&family=Public+Sans:wght@400;500;600;700&display=swap" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?su5go0" /> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/17155","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"gtag":{"tagId":"","consentMode":false,"otherIds":[],"events":[],"additionalConfigInfo":[]},"ajaxPageState":{"libraries":"eJxdjkFuxCAMAD_EwpOQAYfQOBjZpt38vhyyu2ovlmdkyZPQDCUq5wYUdQdpvcY0zbhrULtoscsHlmYsEXJmKY17eG9-E-6GvTh82ro-QpE5gPyNrjJXwmhQQ13jP3v4gudfebo69adoSIJQsswzvUwlTkDuXD0QtkYr3mcYtkLcAIEqMHZ9JXyMn33MRE13LE4vNTxDAkVnzJRA1mc9NNzkpm5YKn_Huws60GUtayCG8njjI5f-C5H5ft4","theme":"guswds","theme_token":null},"ajaxTrustedUrl":[],"gtm":{"tagId":null,"settings":{"data_layer":"dataLayer","include_classes":false,"allowlist_classes":"","blocklist_classes":"","include_environment":false,"environment_id":"","environment_token":""},"tagIds":["GTM-53QLXSL9"]},"data":{"extlink":{"extTarget":false,"extTargetAppendNewWindowLabel":"(opens in a new window)","extTargetNoOverride":false,"extNofollow":false,"extTitleNoOverride":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button,.usa-footer__contact-info","extCssInclude":"","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","extHideIcons":false,"mailtoClass":"mailto","telClass":"","mailtoLabel":"(link sends email)","telLabel":"(link is a phone number)","extUseFontAwesome":false,"extIconPlacement":"append","extPreventOrphan":false,"extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","extAdditionalLinkClasses":"","extAdditionalMailtoClasses":"","extAdditionalTelClasses":"","extFaTelClasses":"fa fa-phone","whitelistedDomains":[],"extExcludeNoreferrer":""}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0,"animateAccordionOpenAndClose":1,"openTabsWithHash":1}},"user":{"uid":0,"permissionsHash":"0f75d40308887aebba0d5b0d2671305b73c9431902f86e672380a6dc6ab97d07"}}</script> <script src="/core/misc/drupalSettingsLoader.js?v=10.4.3"></script> <script src="/modules/contrib/google_tag/js/gtag.js?su5go0"></script> <script src="/modules/contrib/google_tag/js/gtm.js?su5go0"></script> <script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DHS&subagency=CISA&yt=true" id="_fed_an_ua_tag" async></script> </head> <body class="path-node not-front node-page node-page--node-type-page" id="top"> <div class="c-skiplinks"> <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a> </div> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-53QLXSL9" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="l-site-container"> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion"> <header class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" /> </div> <div class="grid-col-fill tablet:grid-col-auto"> <p class="usa-banner__header-text">An official website of the United States government</p> <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div> <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here’s how you know</span> </button> </div> </header> <div class="usa-banner__content usa-accordion__content" id="gov-banner"> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </section> <div class="c-block c-global-header-btns c-global-btns"> <div class="l-constrain l-constrain"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/securebydesign">Secure by design </a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> <div class="usa-overlay"></div> <header class="usa-header usa-header--extended" role="banner"> <div class="usa-navbar"> <div class="l-constrain"> <div class="usa-navbar__row"> <div class="c-block c-site-header"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblock" class="c-block c-block--provider-block-content c-block--id-block-contentbc4e6844-86b4-4e20-b163-a73bda3d1d76"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/header_logo_tagline_update.svg" alt="Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience"/><img class="print-only" src = "/sites/default/files/images/SVG/header_logo_tagline_update.png" alt="Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience"/></a></div></div> </div> </div> </div> </div> </div> <div class="c-block c-site-header-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblockmobile" class="c-block c-block--provider-block-content c-block--id-block-content283396c9-cd36-4ce3-b1e2-9b5576ab4f50"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/mobile_logo_wordmark.svg" alt="CISA Logo"/></a></div></div> </div> </div> </div> </div> </div> <div class="usa-navbar__search"> <div class="usa-navbar__search-header"> <p>Search</p> </div> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search"> </div> </div> </div> <button class="mobile-menu-button usa-menu-btn">Menu</button> </div> </div> </div> <div class="c-block c-tagline-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-mobiletaglinecontainer" class="c-block c-block--provider-block-content c-block--id-block-contentc8d12e9d-7e48-4708-90c1-563609c4b566"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><center><img src = "/sites/default/files/images/SVG/header_tagline_mobile_update.svg" alt = "America's Cyber Defense Agency" /></center></div></div> </div> </div> </div> </div> </div> <nav class="usa-nav" role="navigation" aria-label="Primary navigation"> <div class="usa-nav__inner l-constrain"> <div class="usa-nav__row"> <button class="usa-nav__close">Close</button> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search"> </div> </div> <ul class="usa-nav__primary usa-accordion"> <li class="usa-nav__primary-item topics"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1"> <span>Topics</span> </button> <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/topics">Topics</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cybersecurity-best-practices"> <span>Cybersecurity Best Practices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cyber-threats-and-advisories"> <span>Cyber Threats and Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/critical-infrastructure-security-and-resilience"> <span>Critical Infrastructure Security and Resilience</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/election-security"> <span>Election Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/emergency-communications"> <span>Emergency Communications</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/industrial-control-systems"> <span>Industrial Control Systems</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/information-communications-technology-supply-chain-security"> <span>Information and Communications Technology Supply Chain Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/partnerships-and-collaboration"> <span>Partnerships and Collaboration</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/physical-security"> <span>Physical Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/risk-management"> <span>Risk Management</span> </a> </div> </div> </div> <div class="c-menu-feature-links"> <div class="c-menu-feature-links__title"> <a href="/audiences"> How can we help? </a> </div> <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a><a href="/audiences/faith-based-community">Faith-Based Community</a><a href="/audiences/executives">Executives</a><a href="/audiences/high-risk-communities">High-Risk Communities</a></div> </div> </div> </li> <li class="usa-nav__primary-item spotlight"> <a href="/spotlight" class="usa-nav__link" > <span>Spotlight</span> </a> </li> <li class="usa-nav__primary-item resources--tools"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3"> <span>Resources & Tools</span> </button> <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/resources-tools">Resources & Tools</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/all-resources-tools"> <span>All Resources & Tools</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/services"> <span>Services</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/programs"> <span>Programs</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/resources"> <span>Resources</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/training"> <span>Training</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/groups"> <span>Groups</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item news--events"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-4"> <span>News & Events</span> </button> <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/news-events">News & Events</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/news"> <span>News</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/events"> <span>Events</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/cybersecurity-advisories"> <span>Cybersecurity Alerts & Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/directives"> <span>Directives</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/request-speaker"> <span>Request a CISA Speaker</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/congressional-testimony"> <span>Congressional Testimony</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-conferences"> <span>CISA Conferences</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-live"> <span>CISA Live!</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item careers"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5"> <span>Careers</span> </button> <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/careers">Careers</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/benefits-perks"> <span>Benefits & Perks</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/hirevue-applicant-reasonable-accommodations-process"> <span>HireVue Applicant Reasonable Accommodations Process</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/general-recruitment-and-hiring-faqs"> <span>Hiring</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/resume-application-tips"> <span>Resume & Application Tips</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/students-recent-graduates-employment-opportunities"> <span>Students & Recent Graduates</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/veteran-and-military-spouse-employment-opportunities"> <span>Veteran and Military Spouses</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item about"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6"> <span>About</span> </button> <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/about">About</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/divisions-offices"> <span>Divisions & Offices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/regions"> <span>Regions</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/leadership"> <span>Leadership</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/doing-business-cisa"> <span>Doing Business with CISA</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/site-links"> <span>Site Links</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-github"> <span>CISA GitHub</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-central"> <span>CISA Central</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us"> <span>Contact Us </span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us/subscribe-updates-cisa"> <span>Subscribe</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/transparency-and-accountability"> <span>Transparency and Accountability</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/eeo-policies"> <span>Policies & Plans</span> </a> </div> </div> </div> </div> </li> </ul> <div class="c-block c-global-menu-btns c-global-btns"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/securebydesign">Secure by design </a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> </div> </nav> </header> <div class="l-breadcrumb"> <div class="l-constrain"> <div class="l-breadcrumb__row"> <nav aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation"> <div class="l-constrain"> <div id="breadcrumb-label" class="c-breadcrumb__title u-visually-hidden">Breadcrumb</div> <ol class="c-breadcrumb__list"> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/">Home</a> </li> <li class="c-breadcrumb__item"> <span aria-current="page"> Stakeholder-Specific Vulnerability Categorization (SSVC) </span> </li> </ol> </div> </nav> <div id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block"> <div class="c-block__content"> <div class="c-block__row"> <span>Share:</span> <div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div> <div class="social-sharing-buttons"> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc&title=Stakeholder-Specific%20Vulnerability%20Categorization%20%28SSVC%29" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons-button share-facebook" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" /> </svg> </a> <a href="https://twitter.com/intent/tweet?text=Stakeholder-Specific%20Vulnerability%20Categorization%20%28SSVC%29+https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc" target="_blank" title="Share to X" aria-label="Share to X" class="social-sharing-buttons-button share-x" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#x" /> </svg> </a> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons-button share-linkedin" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" /> </svg> </a> <a href="mailto:?subject=Stakeholder-Specific%20Vulnerability%20Categorization%20%28SSVC%29&body=https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons-button share-email" target="_blank" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" /> </svg> </a> </div> </div> </div> </div> </div> </div> </div> <main id="main" class="c-main" role="main" tabindex="-1"> <div class="l-content"> <article class="c-article"> <div class="c-page-title"> <div class="c-page-title__inner l-constrain"> <div class="c-page-title__row"> <div class="c-page-title__content"> <h1 class="c-page-title__title"> <span>Stakeholder-Specific Vulnerability Categorization (SSVC)</span> </h1> </div> </div> <div class="c-page-title__decoration"></div> </div> </div> <div class="c-wysiwyg"> <div class="l-constrain"> <div class="c-wysiwyg__inner"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p>Carnegie Mellon University's Software Engineering Institute (SEI), in collaboration with CISA, created the Stakeholder-Specific Vulnerability Categorization (SSVC) system in 2019 to provide the cyber community a vulnerability analysis methodology that accounts for a vulnerability's exploitation status, impacts to safety, and prevalence of the affected product in a singular system. CISA worked with SEI in 2020 to develop its own customized SSVC decision tree to examine vulnerabilities relevant to the United States government (USG), as well as state, local, tribal, and territorial (SLTT) governments, and critical infrastructure entities. Implementing SSVC has allowed CISA to better prioritize its vulnerability response and vulnerability messaging to the public. </p><h3>Stakeholder-Specific Vulnerability Categorization (SSVC) On Demand Training</h3><p>The On Demand Training instructs analysts on triaging vulnerabilities using a Stakeholder-Specific Vulnerability Categorization (SSVC) through collecting evidence, with examples of analysts in different stakeholder roles. Furthermore, the SSVC is a vulnerability prioritization methodology that helps an analyst decide on vulnerability response actions consistent with priorities agreed with the analyst’s leadership.</p><figure class="c-figure c-figure--medium c-figure--iframe u-align-center" role="group"><div class="c-figure__media"><div class="c-video has-iframe"><iframe class="c-video__iframe" src="https://www.cisa.gov/media/oembed?url=https%3A//www.youtube.com/watch%3Fv%3DNqiwyUPLy6I&max_width=800&max_height=0&hash=9m-HNDd5eV71daq51ys3eey2A1UC6EehVed1Ef7d9aA" title="SSVC On Demand Training" allowfullscreen frameborder="0"></iframe></div></div></figure><h3>How CISA Uses SSVC </h3><p>CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: </p><ul><li><strong>Track</strong>: The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines. </li><li><strong>Track</strong>*: The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines. </li><li><strong>Attend</strong>: The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines. </li><li><strong>Act</strong>: The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible. </li></ul><p>The CISA SSVC tree determines the decisions of <strong>Track</strong>, <strong>Track</strong>*, <strong>Attend</strong>, and <strong>Act</strong> based on five values:  </p><ul><li>Exploitation status  </li><li>Technical impact  </li><li>Automatable </li><li>Mission prevalence </li><li>Public well-being impact </li></ul><p>To learn more, see the <a href="/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf" title="CISA SSVC Guide">CISA SSVC Guide</a> (pdf, 948 kb). </p><h3>CISA's SSVC Calculator </h3><p>The <a href="/ssvc-calculator" title="SSVC Calculator">CISA SSVC Calculator</a> allows users to input decision values and navigate through the CISA SSVC tree model to the final overall decision for a vulnerability affecting their organization. The SSVC Calculator allows users to export the data as .PDF or JSON. </p><h3>Additional SSVC Decision Tree Models  </h3><p>Organizations whose mission spaces need to evaluate the effect of vulnerabilities in at least one external organization may find the CISA SSVC decision tree model helpful. The CISA SSVC decision tree model closely resembles the standard SSVC “Coordinator” tree. For organizations whose mission spaces do not align with CISA’s decision tree, the SEI whitepaper <a href="https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459" title="Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)">Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)</a> details other decision tree models that may better align to their mission space.  </p><h3>Contact Us </h3><p>For CISA SSVC questions, email <a href="mailto:vulnerability@cisa.dhs.gov" title="Email Vulnerability">vulnerability@cisa.dhs.gov</a> and include "SSVC" in the subject line.  </p><p>For general SSVC questions, contact SEI on <a href="https://github.com/CERTCC/SSVC/issues" title="GitHub">GitHub</a>. If unable to access the above GitHub site, use this <a href="https://www.sei.cmu.edu/contact-us/" title="Contact Form">contact form</a> instead. </p></div></div> </div> </div> </div> </article> </div> </main> <footer class="usa-footer usa-footer--slim" role="contentinfo"> <div class="usa-footer__return-to-top"> <div class="l-constrain"> <a href="#top">Return to top</a> </div> </div> <div class="usa-footer__upper"> <div class="l-constrain"> <ul class="c-menu c-menu--footer-main"> <li class="c-menu__item"> <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a> </li> <li class="c-menu__item"> <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a> </li> <li class="c-menu__item"> <a href="/resources-tools" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7331">Resources & Tools</a> </li> <li class="c-menu__item"> <a href="/news-events" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7332">News & Events</a> </li> <li class="c-menu__item"> <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a> </li> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a> </li> </ul> </div> </div> <div class="usa-footer__main"> <div class="l-constrain"> <div class="usa-footer__main-row"> <div class="usa-footer__brand"> <a class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage"> <span class="c-site-name__text">Cybersecurity & Infrastructure Security Agency</span> </a> </div> <div class="usa-footer__contact"> <ul class="c-menu c-menu--social"> <li class="c-menu__item"> <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a> </li> <li class="c-menu__item"> <a href="https://x.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">X</a> </li> <li class="c-menu__item"> <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a> </li> <li class="c-menu__item"> <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a> </li> <li class="c-menu__item"> <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a> </li> <li class="c-menu__item"> <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a> </li> </ul> <div class="usa-footer__contact-info"> <span>CISA Central</span> <a href="tel:1-844-Say-CISA">1-844-Say-CISA</a> <a href="mailto:SayCISA@cisa.dhs.gov">SayCISA@cisa.dhs.gov</a> </div> </div> </div> </div> </div> <div class="usa-footer__lower"> <div class="l-constrain"> <div class="usa-footer__lower-row"> <div class="usa-footer__lower-left"> <div class="c-dhs-logo"> <div class="c-dhs-logo__seal">DHS Seal</div> <div class="c-dhs-logo__content"> <div class="c-dhs-logo__url">CISA.gov</div> <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div> </div> </div> <ul class="c-menu c-menu--footer"> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a> </li> <li class="c-menu__item"> <a href="/no-fear-act" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/21494">No FEAR Act</a> </li> <li class="c-menu__item"> <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a> </li> <li class="c-menu__item"> <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a> </li> <li class="c-menu__item"> <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a> </li> <li class="c-menu__item"> <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a> </li> <li class="c-menu__item"> <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a> </li> <li class="c-menu__item"> <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a> </li> </ul> </div> <div class="usa-footer__lower-right"> <iframe src="https://www.dhs.gov/ntas/" name="National Terrorism Advisory System" title="National Terrorism Advisory System" width="170" height="180" scrolling="no" frameborder="0" seamless border="0" ></iframe> </div> </div> </div> </div> </footer> </div> </div> <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"></script> <script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script> <script src="/core/misc/drupal.js?v=10.4.3"></script> <script src="/core/misc/drupal.init.js?v=10.4.3"></script> <script src="/core/assets/vendor/tabbable/index.umd.min.js?v=6.2.0"></script> <script src="/modules/contrib/ckeditor_accordion/js/accordion.frontend.min.js?su5go0"></script> <script src="/modules/contrib/extlink/js/extlink.js?v=10.4.3"></script> <script src="/core/misc/jquery.form.js?v=4.3.0"></script> <script src="/core/misc/progress.js?v=10.4.3"></script> <script src="/core/assets/vendor/loadjs/loadjs.min.js?v=4.3.0"></script> <script src="/core/misc/debounce.js?v=10.4.3"></script> <script src="/core/misc/announce.js?v=10.4.3"></script> <script src="/core/misc/message.js?v=10.4.3"></script> <script src="/core/misc/ajax.js?v=10.4.3"></script> <script src="/modules/contrib/google_tag/js/gtag.ajax.js?su5go0"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/breadcrumb.es6.js?su5go0"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?su5go0"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?su5go0"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?su5go0"></script> </body> </html>

CINXE.COM

Stakeholder-Specific Vulnerability Categorization (SSVC) | CISA