Outcome Decision Points
SSVC outcomes are just Decision Point objects. The only distinction is that these Decision Points are usually intended to be used as the outputs of a decision, whereas most other Decision Points are intended to serve as inputs to a decision. However, there are use cases (e.g., compound decision points) where an outcome of one decision may feed into another decision, so the distinction between input and output is somewhat arbitrary. Hence, we chose to use the same data structure for both.
Following is a list of Decision Points often used as outcomes in SSVC decision models.
Decline, Track, Coordinate (ssvc:COORDINATE:1.0.1)
The coordinate outcome group.
| Value | Key | Definition |
|---|---|---|
| Decline | D | Do not act on the report. |
| Track | T | Receive information about the vulnerability and monitor for status changes but do not take any overt actions. |
| Coordinate | C | Take action on the report. |
Decline, Track, Coordinate (ssvc:COORDINATE:1.0.1) JSON Example
{
"namespace": "ssvc",
"key": "COORDINATE",
"version": "1.0.1",
"name": "Decline, Track, Coordinate",
"definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Decline",
"definition": "Do not act on the report."
},
{
"key": "T",
"name": "Track",
"definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
{
"key": "C",
"name": "Coordinate",
"definition": "Take action on the report."
}
]
}
Defer, Scheduled, Out-of-Cycle, Immediate (ssvc:DSOI:1.0.0)
The original SSVC outcome group.
| Value | Key | Definition |
|---|---|---|
| Defer | D | Defer |
| Scheduled | S | Scheduled |
| Out-of-Cycle | O | Out-of-Cycle |
| Immediate | I | Immediate |
Defer, Scheduled, Out-of-Cycle, Immediate (ssvc:DSOI:1.0.0) JSON Example
{
"namespace": "ssvc",
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
"definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
"definition": "Defer"
},
{
"key": "S",
"name": "Scheduled",
"definition": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
"definition": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
"definition": "Immediate"
}
]
}
Publish, Do Not Publish (ssvc:PUBLISH:1.0.0)
The publish outcome group.
| Value | Key | Definition |
|---|---|---|
| Do Not Publish | N | Do Not Publish |
| Publish | P | Publish |
Publish, Do Not Publish (ssvc:PUBLISH:1.0.0) JSON Example
{
"namespace": "ssvc",
"key": "PUBLISH",
"version": "1.0.0",
"name": "Publish, Do Not Publish",
"definition": "The publish outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "Do Not Publish",
"definition": "Do Not Publish"
},
{
"key": "P",
"name": "Publish",
"definition": "Publish"
}
]
}
CISA Levels (cisa:CISA:1.1.0)
The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.
| Value | Key | Definition |
|---|---|---|
| Track | T | The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines. |
| Track* | T* | The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines. |
| Attend | AT | The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines. |
| Act | AC | The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible. |
CISA Levels (cisa:CISA:1.1.0) JSON Example
{
"namespace": "cisa",
"key": "CISA",
"version": "1.1.0",
"name": "CISA Levels",
"definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "T",
"name": "Track",
"definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
{
"key": "T*",
"name": "Track*",
"definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
"key": "AT",
"name": "Attend",
"definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
"key": "AC",
"name": "Act",
"definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
}
Do, Schedule, Delegate, Delete (basic:IKE:1.0.0)
The Eisenhower outcome group.
| Value | Key | Definition |
|---|---|---|
| Delete | D | Delete |
| Delegate | G | Delegate |
| Schedule | S | Schedule |
| Do | O | Do |
Do, Schedule, Delegate, Delete (basic:IKE:1.0.0) JSON Example
{
"namespace": "basic",
"key": "IKE",
"version": "1.0.0",
"name": "Do, Schedule, Delegate, Delete",
"definition": "The Eisenhower outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Delete",
"definition": "Delete"
},
{
"key": "G",
"name": "Delegate",
"definition": "Delegate"
},
{
"key": "S",
"name": "Schedule",
"definition": "Schedule"
},
{
"key": "O",
"name": "Do",
"definition": "Do"
}
]
}
LowMediumHigh (basic:LMH:1.0.0)
A Low/Medium/High decision point / outcome group.
| Value | Key | Definition |
|---|---|---|
| Low | L | Low |
| Medium | M | Medium |
| High | H | High |
LowMediumHigh (basic:LMH:1.0.0) JSON Example
{
"namespace": "basic",
"key": "LMH",
"version": "1.0.0",
"name": "LowMediumHigh",
"definition": "A Low/Medium/High decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
"definition": "Low"
},
{
"key": "M",
"name": "Medium",
"definition": "Medium"
},
{
"key": "H",
"name": "High",
"definition": "High"
}
]
}
MoSCoW (basic:MSCW:1.0.0)
The MoSCoW (Must, Should, Could, Won't) outcome group.
| Value | Key | Definition |
|---|---|---|
| Won't | W | Won't |
| Could | C | Could |
| Should | S | Should |
| Must | M | Must |
MoSCoW (basic:MSCW:1.0.0) JSON Example
{
"namespace": "basic",
"key": "MSCW",
"version": "1.0.0",
"name": "MoSCoW",
"definition": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "W",
"name": "Won't",
"definition": "Won't"
},
{
"key": "C",
"name": "Could",
"definition": "Could"
},
{
"key": "S",
"name": "Should",
"definition": "Should"
},
{
"key": "M",
"name": "Must",
"definition": "Must"
}
]
}
Value, Complexity (basic:VALUE_COMPLEXITY:1.0.0)
The Value/Complexity outcome group.
| Value | Key | Definition |
|---|---|---|
| Drop | D | Drop |
| Reconsider Later | R | Reconsider Later |
| Easy Win | E | Easy Win |
| Do First | F | Do First |
Value, Complexity (basic:VALUE_COMPLEXITY:1.0.0) JSON Example
{
"namespace": "basic",
"key": "VALUE_COMPLEXITY",
"version": "1.0.0",
"name": "Value, Complexity",
"definition": "The Value/Complexity outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Drop",
"definition": "Drop"
},
{
"key": "R",
"name": "Reconsider Later",
"definition": "Reconsider Later"
},
{
"key": "E",
"name": "Easy Win",
"definition": "Easy Win"
},
{
"key": "F",
"name": "Do First",
"definition": "Do First"
}
]
}
YesNo (basic:YN:1.0.0)
A Yes/No decision point / outcome group.
| Value | Key | Definition |
|---|---|---|
| No | N | No |
| Yes | Y | Yes |
YesNo (basic:YN:1.0.0) JSON Example
{
"namespace": "basic",
"key": "YN",
"version": "1.0.0",
"name": "YesNo",
"definition": "A Yes/No decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "No",
"definition": "No"
},
{
"key": "Y",
"name": "Yes",
"definition": "Yes"
}
]
}
theParanoids (x_com.yahooinc#prioritized-risk-remediation:PARANOIDS:1.0.0)
PrioritizedRiskRemediation outcome group based on TheParanoids.
| Value | Key | Definition |
|---|---|---|
| Track 5 | 5 | Track |
| Track Closely 4 | 4 | Track Closely |
| Attend 3 | 3 | Attend |
| Attend 2 | 2 | Attend |
| Act 1 | 1 | Act |
| Act ASAP 0 | 0 | Act ASAP |
theParanoids (x_com.yahooinc#prioritized-risk-remediation:PARANOIDS:1.0.0) JSON Example
{
"namespace": "x_com.yahooinc#prioritized-risk-remediation",
"key": "PARANOIDS",
"version": "1.0.0",
"name": "theParanoids",
"definition": "PrioritizedRiskRemediation outcome group based on TheParanoids.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "5",
"name": "Track 5",
"definition": "Track"
},
{
"key": "4",
"name": "Track Closely 4",
"definition": "Track Closely"
},
{
"key": "3",
"name": "Attend 3",
"definition": "Attend"
},
{
"key": "2",
"name": "Attend 2",
"definition": "Attend"
},
{
"key": "1",
"name": "Act 1",
"definition": "Act"
},
{
"key": "0",
"name": "Act ASAP 0",
"definition": "Act ASAP"
}
]
}