This preview shows page 1. Sign up to view the full content.
Unformatted text preview: 199 definitions do apply, so Federal information systems’ potential impact levels can be considered when
calculating environmental metric scores for vulnerabilities.
Suppose that per FIPS 199, an information system has potential impact levels of high for confidentiality
and integrity, and moderate for availability. These values can then be input into the CVSS calculator for
the environmental metric impact subscore modifiers. Once these values have been entered, the final
CVSS score will be adjusted appropriately, resulting in a CVSS score that is specifically tailored to the
target environment. Organizations should keep in mind that a CVSS score only assesses the relative
severity of a vulnerability when compared to other vulnerabilities, and does not take into account any
security controls that might mitigate exploitation attempts (e.g., firewalls, antivirus software, intrusion
detection and prevention systems, authentication mechanisms). CVSS scores are intended as an aid in
making decisions, and are only one element of many that should be considered.
4.1.3 Using CVSS with the Security Content Automation Protocol The Security Content Automation Protocol (SCAP) 9 is a method for using specific standards to enable
automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA
compliance). More specifically, SCAP is a suite of selected open standards that enumerate software
flaws, security-related configuration issues, and product names; measure systems to determine the
presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements to
evaluate the impact of discovered security issues. SCAP defines how these standards are combined.
CVSS is one of the six vulnerability management standards that comprise SCAP. More information on
SCAP and how it benefits U.S. government agencies (and other organizations) is available at
9 CVSS uses the term “medium” as opposed to “moderate”, but the terms are synonymous for the purposes of CVSS.
SCAP is pronounced “ess cap”. 22 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 5. Conclusion The Common Vulnerability Scoring System (CVSS) provides a standard method for Federal agencies and
other organizations to rate the severity of vulnerabilities within their systems. The National Vulnerability
Database (NVD) provides a standard set of U.S. government-validated CVSS scores. Together, when
incorporated into security products, NVD and CVSS enable organizations to understand the impact of the
vulnerabilities on their systems. Furthermore, the impact ratings will be the same even when the
vulnerabilities are discovered by multiple security tools used in different organizations. This enables an
apples-to-apples comparison of the severity of vulnerabilities between U.S. government systems, and
even organizations. Watching the CVSS scores of discovered vulnerabilities over time ca...
View Full Document
This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.
- Spring '14