What is CISA SSVC?

SSVC (Stakeholder-Specific Vulnerability Categorization) is CISA's framework for deciding which vulnerabilities to fix first. Unlike a single severity score, SSVC is a decision tree that produces an actionable verdict: Act, Attend, Track*, or Track.

Why SSVC exists

CVSS gives every vulnerability a number from 0 to 10. That number is the same whether the CVE affects an internet-facing crown-jewel server or an isolated lab box. SSVC adds the missing context: is anyone exploiting this?, is the affected asset reachable?, does the vulnerability automate?, what would the impact be if it succeeded?

The output isn't a number. It's a recommendation that maps to a workflow:

• Act — patch this now. Top of the queue.
• Attend — patch in the next normal cycle. Don't sleep on it.
• Track* — monitor, but no immediate action.
• Track — routine handling.

The inputs

• Exploitation status — is there a known proof-of-concept, or is it being actively exploited in the wild? CISA's KEV catalog feeds this directly.
• Exposure — is the affected asset reachable from the internet, or sat behind layers of segmentation?
• Utility — does the vulnerability lend itself to mass automation, or is exploitation manual and bespoke?
• Mission & well-being impact — what does the affected asset do, and what's the blast radius if it goes down?

How it pairs with KEV and EPSS

SSVC is the decision framework. KEV (Known Exploited Vulnerabilities) and EPSS (Exploit Prediction Scoring System) are the inputs. KEV says "this CVE is being exploited right now". EPSS says "this CVE has a 78% probability of being exploited in the next 30 days". Both feed straight into the SSVC tree.

Why CTI teams care

CVSS is a vulnerability score. SSVC is an operational decision. A SOC manager with 50,000 vulnerabilities and 10 patching slots a week needs the second, not the first. The shift from "we have a critical CVSS" to "this is an Act per SSVC" is the difference between a report and a ticket.