From 22b71fb5f9b6227b0cd142cf9d7f2d3880e45be9 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 29 Oct 2020 13:26:24 -0400 Subject: [PATCH 1/3] First attempt at allowing for sector-specific impact scenarios --- doc/version_1/045_treesForVulMgmt_3.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/version_1/045_treesForVulMgmt_3.md b/doc/version_1/045_treesForVulMgmt_3.md index 674d52e1..842f5477 100644 --- a/doc/version_1/045_treesForVulMgmt_3.md +++ b/doc/version_1/045_treesForVulMgmt_3.md @@ -231,6 +231,14 @@ Because of this higher sensitivity to safety concerns, we chose to retain a four | Hazardous | High | High | Very High | | Catastrophic | Very High | Very High | Very High | +#### Adapting Situated Safety / Mission Impact for Sector-Specific Scenarios + +We expect to encounter diversity in both safety and mission impacts across different organizations. However, we also anticipate a degree of commonality of impacts to arise across organizations within a given industry sector. + +In particular, different industry sectors may have different use cases for the same software, and therefore it may be appropriate for vulnerability information providers, i.e., Information Sharing and Analysis Organizations (ISAOs) to provide SSVC information tailored as appropriate to their constituency's safety and mission concerns. + + + ### System Exposure (Deployer) > The Accessible Attack Surface of the Affected System or Service From 92bb7ac3050856632ec467c31b00daf3c65268b0 Mon Sep 17 00:00:00 2001 From: j--- Date: Fri, 30 Oct 2020 12:02:48 -0400 Subject: [PATCH 2/3] Update 045_treesForVulMgmt_3.md Smoothed out writing style and added cross reference. --- doc/version_1/045_treesForVulMgmt_3.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/version_1/045_treesForVulMgmt_3.md b/doc/version_1/045_treesForVulMgmt_3.md index 842f5477..b27e0fd1 100644 --- a/doc/version_1/045_treesForVulMgmt_3.md +++ b/doc/version_1/045_treesForVulMgmt_3.md @@ -233,9 +233,11 @@ Because of this higher sensitivity to safety concerns, we chose to retain a four #### Adapting Situated Safety / Mission Impact for Sector-Specific Scenarios -We expect to encounter diversity in both safety and mission impacts across different organizations. However, we also anticipate a degree of commonality of impacts to arise across organizations within a given industry sector. - -In particular, different industry sectors may have different use cases for the same software, and therefore it may be appropriate for vulnerability information providers, i.e., Information Sharing and Analysis Organizations (ISAOs) to provide SSVC information tailored as appropriate to their constituency's safety and mission concerns. +We expect to encounter diversity in both safety and mission impacts across different organizations. However, we also anticipate a degree of commonality of impacts across organizations that are from the same industry sector. +For example, different industry sectors may have different use cases for the same software. +Therefore, vulnerability information providers -- that is, Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs) -- may provide SSVC information tailored as appropriate to their constituency's safety and mission concerns. +For considerations on how organizations might communicate SSVC information to their constituents, see [#pilot-results]. + From 367149e7fa661f8777fcd130d6a54a1858f35c5c Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 30 Oct 2020 12:33:39 -0400 Subject: [PATCH 3/3] add mention of vul databases too --- doc/version_1/045_treesForVulMgmt_3.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/version_1/045_treesForVulMgmt_3.md b/doc/version_1/045_treesForVulMgmt_3.md index b27e0fd1..0771a05f 100644 --- a/doc/version_1/045_treesForVulMgmt_3.md +++ b/doc/version_1/045_treesForVulMgmt_3.md @@ -233,12 +233,11 @@ Because of this higher sensitivity to safety concerns, we chose to retain a four #### Adapting Situated Safety / Mission Impact for Sector-Specific Scenarios -We expect to encounter diversity in both safety and mission impacts across different organizations. However, we also anticipate a degree of commonality of impacts across organizations that are from the same industry sector. -For example, different industry sectors may have different use cases for the same software. -Therefore, vulnerability information providers -- that is, Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs) -- may provide SSVC information tailored as appropriate to their constituency's safety and mission concerns. +We expect to encounter diversity in both safety and mission impacts across different organizations. However, we also anticipate a degree of commonality of impacts to arise across organizations within a given industry sector. For example, different industry sectors may have different use cases for the same software. +Therefore, vulnerability information providers -- that is, vulnerability databases, Information Sharing and Analysis Organizations (ISAOs), or Information Sharing and Analysis Centers (ISACs) -- may provide SSVC information tailored as appropriate to their constituency's safety and mission concerns. For considerations on how organizations might communicate SSVC information to their constituents, see [#pilot-results]. - + ### System Exposure (Deployer)