Suppose that per fips 199 an information system has

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 199 definitions do apply, so Federal information systems’ potential impact levels can be considered when calculating environmental metric scores for vulnerabilities. Suppose that per FIPS 199, an information system has potential impact levels of high for confidentiality and integrity, and moderate for availability. These values can then be input into the CVSS calculator for the environmental metric impact subscore modifiers. Once these values have been entered, the final CVSS score will be adjusted appropriately, resulting in a CVSS score that is specifically tailored to the target environment. Organizations should keep in mind that a CVSS score only assesses the relative severity of a vulnerability when compared to other vulnerabilities, and does not take into account any security controls that might mitigate exploitation attempts (e.g., firewalls, antivirus software, intrusion detection and prevention systems, authentication mechanisms). CVSS scores are intended as an aid in making decisions, and are only one element of many that should be considered. 4.1.3 Using CVSS with the Security Content Automation Protocol The Security Content Automation Protocol (SCAP) 9 is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). More specifically, SCAP is a suite of selected open standards that enumerate software flaws, security-related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements to evaluate the impact of discovered security issues. SCAP defines how these standards are combined. CVSS is one of the six vulnerability management standards that comprise SCAP. More information on SCAP and how it benefits U.S. government agencies (and other organizations) is available at http://nvd.nist.gov/scap.cfm. 8 9 CVSS uses the term “medium” as opposed to “moderate”, but the terms are synonymous for the purposes of CVSS. SCAP is pronounced “ess cap”. 22 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 5. Conclusion The Common Vulnerability Scoring System (CVSS) provides a standard method for Federal agencies and other organizations to rate the severity of vulnerabilities within their systems. The National Vulnerability Database (NVD) provides a standard set of U.S. government-validated CVSS scores. Together, when incorporated into security products, NVD and CVSS enable organizations to understand the impact of the vulnerabilities on their systems. Furthermore, the impact ratings will be the same even when the vulnerabilities are discovered by multiple security tools used in different organizations. This enables an apples-to-apples comparison of the severity of vulnerabilities between U.S. government systems, and even organizations. Watching the CVSS scores of discovered vulnerabilities over time ca...
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online