Skip to content

HOW TO USE THE CISA RESPONSE TIMELINE SSVC DECISION TREE

The CISA Response Timeline SSVC Decision Tree is a tool support implementers of CISA BOD 26-04. Readers should consult the directive for more details about how to use the decision table below. What follows is just a brief introduction to the outcomes, decision points, and decision table structure.

Outcomes and Decision Points

The CISA Response Timeline has 4 binary decision points:

  1. InKEV
  2. Publicly Exposed
  3. Automatable
  4. Technical Impact

More information about each of these will be at the bottom of this page.

These 4 decision points are combined to yield 4 outcomes for vulnerability response timelines:

CISA BOD 26-04 Remediation Timelines (cisa:BOD2604:1.0.0)

The CISA BOD 26-04 outcome group of remediation timelines for agencies to follow.

Value Key Definition
Fix on system upgrade FSU The vulnerability should be remediated the next time the vulnerable asset receives a scheduled major upgrade or rebuild.
60 days 60D Remediate within 60 days.
14 days 14D Remediate within 14 days.
3 days 3D Remediate within 3 days.
3 days & forensic investigation 3DF Remediate within 3 days and carry out a forensic triage of the asset to assess whether the system is compromised.
CISA BOD 26-04 Remediation Timelines (cisa:BOD2604:1.0.0) JSON Example 
{
  "namespace": "cisa",
  "key": "BOD2604",
  "version": "1.0.0",
  "name": "CISA BOD 26-04 Remediation Timelines",
  "definition": "The CISA BOD 26-04 outcome group of remediation timelines for agencies to follow.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "FSU",
      "name": "Fix on system upgrade",
      "definition": "The vulnerability should be remediated the next time the vulnerable asset receives a scheduled major upgrade or rebuild."
    },
    {
      "key": "60D",
      "name": "60 days",
      "definition": "Remediate within 60 days."
    },
    {
      "key": "14D",
      "name": "14 days",
      "definition": "Remediate within 14 days."
    },
    {
      "key": "3D",
      "name": "3 days",
      "definition": "Remediate within 3 days."
    },
    {
      "key": "3DF",
      "name": "3 days & forensic investigation",
      "definition": "Remediate within 3 days and carry out a forensic triage of the asset to assess whether the system is compromised."
    }
  ]
}

InKEV, Automatable, and Technical Impact address the vulnerability whereas Publicly Exposed questions the state of the asset.

In KEV (cisa:KEV:1.0.0)

Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.

Value Key Definition
No N Vulnerability is not listed in KEV.
Yes Y Vulnerability is listed in KEV.
In KEV (cisa:KEV:1.0.0) JSON Example 
{
  "namespace": "cisa",
  "key": "KEV",
  "version": "1.0.0",
  "name": "In KEV",
  "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "No",
      "definition": "Vulnerability is not listed in KEV."
    },
    {
      "key": "Y",
      "name": "Yes",
      "definition": "Vulnerability is listed in KEV."
    }
  ]
}

Publicly Exposed (cisa:PE:1.0.0)

Denotes whether the asset is accessible to unauthenticated or untrusted entities via public networks.

Value Key Definition
No N The asset is not accessible to unauthenticated or untrusted entities via public networks, such as the internet, regardless of its physical or logical location.
Yes Y The asset is accessible to unauthenticated or untrusted entities via public networks, such as the internet, regardless of its physical or logical location.
Publicly Exposed (cisa:PE:1.0.0) JSON Example 
{
  "namespace": "cisa",
  "key": "PE",
  "version": "1.0.0",
  "name": "Publicly Exposed",
  "definition": "Denotes whether the asset is accessible to unauthenticated or untrusted entities via public networks.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "No",
      "definition": "The asset is not accessible to unauthenticated or untrusted entities via public networks, such as the internet, regardless of its physical or logical location."
    },
    {
      "key": "Y",
      "name": "Yes",
      "definition": "The asset is accessible to unauthenticated or untrusted entities via public networks, such as the internet, regardless of its physical or logical location."
    }
  ]
}

Automatable (ssvc:A:2.0.0)

Can an attacker reliably automate creating exploitation events for this vulnerability?

Value Key Definition
No N Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation.
Yes Y Attackers can reliably automate steps 1-4 of the kill chain.
Automatable (ssvc:A:2.0.0) JSON Example 
{
  "namespace": "ssvc",
  "key": "A",
  "version": "2.0.0",
  "name": "Automatable",
  "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "No",
      "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
    },
    {
      "key": "Y",
      "name": "Yes",
      "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
    }
  ]
}

Technical Impact (ssvc:TI:1.0.0)

The technical impact of the vulnerability.

Value Key Definition
Partial P The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control.
Total T The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
Technical Impact (ssvc:TI:1.0.0) JSON Example 
{
  "namespace": "ssvc",
  "key": "TI",
  "version": "1.0.0",
  "name": "Technical Impact",
  "definition": "The technical impact of the vulnerability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "P",
      "name": "Partial",
      "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
    },
    {
      "key": "T",
      "name": "Total",
      "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
    }
  ]
}

CISA BOD 26-04 Decision Model

---
title: CISA BOD 26-04 Decision Table (cisa:DT_BOD2604:1.0.0)
---
graph LR
subgraph inputs[Inputs]
n1(( ))
subgraph s1["cisa:KEV:1.0.0"]
N_L0([N])
Y_L0([Y])
end
subgraph s2["cisa:PE:1.0.0"]
N_N_L1([N])
Y_N_L1([N])
N_Y_L1([Y])
Y_Y_L1([Y])
end
subgraph s3["ssvc:A:2.0.0"]
N_N_N_L2([N])
Y_N_N_L2([N])
N_Y_N_L2([N])
N_N_Y_L2([Y])
Y_Y_N_L2([N])
Y_N_Y_L2([Y])
N_Y_Y_L2([Y])
Y_Y_Y_L2([Y])
end
subgraph s4["ssvc:TI:1.0.0"]
N_N_N_P_L3([P])
Y_N_N_P_L3([P])
N_Y_N_P_L3([P])
N_N_Y_P_L3([P])
N_N_N_T_L3([T])
Y_Y_N_P_L3([P])
Y_N_Y_P_L3([P])
N_Y_Y_P_L3([P])
Y_N_N_T_L3([T])
N_Y_N_T_L3([T])
N_N_Y_T_L3([T])
Y_Y_Y_P_L3([P])
Y_Y_N_T_L3([T])
Y_N_Y_T_L3([T])
N_Y_Y_T_L3([T])
Y_Y_Y_T_L3([T])
end
end
subgraph outputs[Outcome]
subgraph s5["cisa:BOD2604:1.0.0"]
N_N_N_P_FSU_L4([FSU])
Y_N_N_P_14D_L4([14D])
N_Y_N_P_60D_L4([60D])
N_N_Y_P_60D_L4([60D])
N_N_N_T_FSU_L4([FSU])
Y_Y_N_P_14D_L4([14D])
Y_N_Y_P_14D_L4([14D])
N_Y_Y_P_14D_L4([14D])
Y_N_N_T_14D_L4([14D])
N_Y_N_T_14D_L4([14D])
N_N_Y_T_60D_L4([60D])
Y_Y_Y_P_3D_L4([3D])
Y_Y_N_T_3DF_L4([3DF])
Y_N_Y_T_3DF_L4([3DF])
N_Y_Y_T_3D_L4([3D])
Y_Y_Y_T_3DF_L4([3DF])
end
end
n1 --- N_L0
n1 --- Y_L0
N_L0 --- N_N_L1
N_N_L1 --- N_N_N_L2
N_N_N_L2 --- N_N_N_P_L3
N_N_N_P_L3 --- N_N_N_P_FSU_L4
Y_L0 --- Y_N_L1
Y_N_L1 --- Y_N_N_L2
Y_N_N_L2 --- Y_N_N_P_L3
Y_N_N_P_L3 --- Y_N_N_P_14D_L4
N_L0 --- N_Y_L1
N_Y_L1 --- N_Y_N_L2
N_Y_N_L2 --- N_Y_N_P_L3
N_Y_N_P_L3 --- N_Y_N_P_60D_L4
N_N_L1 --- N_N_Y_L2
N_N_Y_L2 --- N_N_Y_P_L3
N_N_Y_P_L3 --- N_N_Y_P_60D_L4
N_N_N_L2 --- N_N_N_T_L3
N_N_N_T_L3 --- N_N_N_T_FSU_L4
Y_L0 --- Y_Y_L1
Y_Y_L1 --- Y_Y_N_L2
Y_Y_N_L2 --- Y_Y_N_P_L3
Y_Y_N_P_L3 --- Y_Y_N_P_14D_L4
Y_N_L1 --- Y_N_Y_L2
Y_N_Y_L2 --- Y_N_Y_P_L3
Y_N_Y_P_L3 --- Y_N_Y_P_14D_L4
N_Y_L1 --- N_Y_Y_L2
N_Y_Y_L2 --- N_Y_Y_P_L3
N_Y_Y_P_L3 --- N_Y_Y_P_14D_L4
Y_N_N_L2 --- Y_N_N_T_L3
Y_N_N_T_L3 --- Y_N_N_T_14D_L4
N_Y_N_L2 --- N_Y_N_T_L3
N_Y_N_T_L3 --- N_Y_N_T_14D_L4
N_N_Y_L2 --- N_N_Y_T_L3
N_N_Y_T_L3 --- N_N_Y_T_60D_L4
Y_Y_L1 --- Y_Y_Y_L2
Y_Y_Y_L2 --- Y_Y_Y_P_L3
Y_Y_Y_P_L3 --- Y_Y_Y_P_3D_L4
Y_Y_N_L2 --- Y_Y_N_T_L3
Y_Y_N_T_L3 --- Y_Y_N_T_3DF_L4
Y_N_Y_L2 --- Y_N_Y_T_L3
Y_N_Y_T_L3 --- Y_N_Y_T_3DF_L4
N_Y_Y_L2 --- N_Y_Y_T_L3
N_Y_Y_T_L3 --- N_Y_Y_T_3D_L4
Y_Y_Y_L2 --- Y_Y_Y_T_L3
Y_Y_Y_T_L3 --- Y_Y_Y_T_3DF_L4

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

Scroll to the right to see the full table

The table below is scrollable to the right.

Row In KEV v1.0.0 (cisa) Publicly Exposed v1.0.0 (cisa) Automatable v2.0.0 Technical Impact v1.0.0 CISA BOD 26-04 Remediation Timelines v1.0.0 (cisa)
0 no no no partial fix on system upgrade
1 yes no no partial 14 days
2 no yes no partial 60 days
3 no no yes partial 60 days
4 no no no total fix on system upgrade
5 yes yes no partial 14 days
6 yes no yes partial 14 days
7 no yes yes partial 14 days
8 yes no no total 14 days
9 no yes no total 14 days
10 no no yes total 60 days
11 yes yes yes partial 3 days
12 yes yes no total 3 days & forensic investigation
13 yes no yes total 3 days & forensic investigation
14 no yes yes total 3 days
15 yes yes yes total 3 days & forensic investigation