Review CISA Binding Operational Directives for decision points, outcome groups, and decision models #701
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CISA has issued a number of Binding Operational Directives that directly affect service level expectations (SLEs) for vulnerability response across US Government Departments and Agencies. These serve as convenient examples of wide-scale practices that could be modeled using SSVC.
Describe the solution you'd like
We should develop one or more decision models based on BODs such as:
There may be others. Part of this task should include a review of outstanding BODs to see if there are more examples that might be relevant.
The general idea here is to systematically encode the logic of the above BODs into one (or more) SSVC-based decision model(s) that reflect the intent of the collection of BODs. Capturing the various SLEs can also be useful.
A part of this task will be to come up with suggested response when more than one condition applies. For example, assuming that IN-KEV and HVA both have specific SLEs associated with them, is there a different SLE when an IN-KEV vul is in an HVA system? Logically it seems that the maximum SLE should be the minimum of the IN-KEV SLE and the HVA SLE, but should an IN-KEV + HVA situation warrant even shorter response time to reflect the risk?
Additional context
We have already modeled a few relevant new decision points in code at least:
These should be reviewed for potential adjustments as part of the response to this issue.
This could be a good opportunity to draw in the concepts from the Acuity Ramp as well. We could demonstrate different models that incorporate more or fewer decision points based on the local organization's needs.
The text was updated successfully, but these errors were encountered: