Goal Summary:

ACS identifies ** CVEs which have known public exploit associated with them as per CISA KEV catalog.

CUSTOMER PROBLEM

Customers are overwhelmed with known vulnerabilities and need more help to prioritize which issues to address first.

Cybersecurity and Infrastructure Security Agency (CISA) maintains the authoritative source of vulnerabilities that have been exploited in the wild as Known Exploited Vulnerabilities(KEV) in KEV catalog. Organizations are interested in and should use the KEV catalog as an input to their vulnerability management prioritization framework. 

USERS

DevSecOps, App and Platform SRE

Goals and expected user outcomes:

ACS users can view which CVEs have known public exploit associated with them so that they can prioritize remediation of those CVEs if a fix is available. 

ACCEPTANCE CRITERIA

• ACS Scanner V4 consumes data from KEV catalog 
• ACS Scanner V4 successfully highlights those CVEs which have a known public exploit associated with them based on KEV catalog data

Success Criteria or KPIs measured:

Amplitude statistics indicating how many times CVE information was viewed based on CISA KEV information.