CERTCC · ahouseholder · Aug 13, 2025 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025
@@ -1,7 +1,7 @@
 {
   "namespace": "cisa",
   "key": "CISA",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "name": "CISA Levels",
   "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
   "schemaVersion": "2.0.0",
@@ -17,12 +17,12 @@
       "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
     },
     {
-      "key": "A",
+      "key": "AT",
       "name": "Attend",
       "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
     },
     {
-      "key": "A",
+      "key": "AC",
       "name": "Act",
       "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
     }

@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "key": "E_NoX",
+  "version": "2.0.0",
+  "name": "Exploit Maturity (without Not Defined)",
+  "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unreported",
+      "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+    },
+    {
+      "key": "P",
+      "name": "Proof-of-Concept",
+      "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+    },
+    {
+      "key": "A",
+      "name": "Attacked",
+      "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+    }
+  ]
+}
@@ -0,0 +1,30 @@
+{
+  "namespace": "ssvc",
+  "key": "HI",
+  "version": "2.0.2",
+  "name": "Human Impact",
+  "description": "Human Impact is a combination of Safety and Mission impacts.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+    },
+    {
+      "key": "VH",
+      "name": "Very High",
+      "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+    }
+  ]
+}
@@ -1,7 +1,7 @@
 {
   "namespace": "ssvc",
   "key": "PWI",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "name": "Public Well-Being Impact",
   "description": "A coarse-grained representation of impact to public well-being.",
   "schemaVersion": "2.0.0",
@@ -12,7 +12,7 @@
       "description": "The effect is below the threshold for all aspects described in material. "
     },
     {
-      "key": "M",
+      "key": "MA",
       "name": "Material",
       "description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
     },