CISA implements OASIS CSAF 2.0 standard to security advisories for ICS, OT, medical devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it has formally adopted the OASIS Common Security Advisory Framework (CSAF) Version 2.0 standard to issue security advisories related to ICS (industrial control systems), OT (operational technology), and medical devices. The move delivers machine-readable advisories using the CSAF 2.0 standard, taking proactive steps by joining the agency to enable automation, future tooling, and driving timely remediation.

“In the current risk environment, organizations are challenged to manage the growing number and complexity of new vulnerabilities,” Lindsey Cerkovnik, chief of vulnerability response and coordination, and Daniel Larson, Justin Murphy, and Brandon Tarr, identified in a Friday CISA blog post. “A critical step in helping organizations achieve better efficiency in triaging and prioritizing vulnerability management efforts is introducing greater automation into the ecosystem. CSAF supports automation of the production, distribution, and consumption of security advisories — reducing the time between when vulnerabilities are disclosed and when businesses remediate them and enabling future tooling for automated vulnerability information sharing.”

The executives detailed that by providing machine-readable advisories using the CSAF 2.0 standard, vendors and providers of software and hardware can join CISA in taking proactive steps to enable automation and future tooling, driving timely remediation.

The initiative builds on the lead security agency’s initiative that it rolled out last October which addressed the need to transform the vulnerability management landscape. The agency identified that in the current risk environment, organizations of all sizes are challenged to manage the number and complexity of new vulnerabilities, and called upon organizations to use a vulnerability management framework that considers a vulnerability’s exploitation status.

With this strategy in consideration, CISA now provides machine-readable CSAF documents alongside every new ICS Advisory and those dating back to 2017, the CISA executives wrote. “Our ICS CSAF advisories will be located within the human-readable advisories themselves, or directly via CISA’s GitHub CSAF repository. This shift to CSAF format will also drive other vulnerability response and coordination initiatives at CISA to automate and streamline the drafting and publication process for these ever increasing and critical ICS Advisories,” they added.

Additionally, CISA urges software and hardware vendors to adopt CSAF for their security advisories. “On OASIS CSAF 2.0 standard webpage, vendors will find more information and background about this framework. A suite of tools for consumers and producers using CSAF is available on OASIS’ CSAF Open Source Tools GitHub.    

The CSAF Version 2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. 

“A Security Advisory defined as a CSAF document is the result of complex orchestration of many players and distinct and partially difficult to play schemas,” according to details published on the OASIS CSAF 2.0 standard webpage. “The format chosen is [JSONSchema] which allows validation and delegation to sub schema providers. The latter aligns well with separation of concerns and shares the format family of information interchange utilized by the providers of product and vulnerability information which migrated from XML to JSON since the creation of CSAF CVRF version 1.2, the predecessor of this specification.”

It also detailed that the CSAF schema structures its derived documents into three main classes of the information conveyed – the frame, aggregation, and reference information of the document; product information considered relevant by the creator; and vulnerability information and its relation to the products declared. “Wherever possible repetition of data has been replaced by linkage through ID elements. Consistency on the content level thus is in the responsibility of the producer of such documents, to link e.g. vulnerability information to the matching product,” it added.

The further documentation of the CSAF schema is organized via Definitions and Properties. Definitions provide types that extend the JSON schema model, while properties use these types to support assembling security advisories. Types and properties together provide the vocabulary for the domain specific language supporting security advisories.

The documentation added that CSAF documents do not have many required fields as they can be used for different purposes. “To ensure a common understanding of which fields are required in a given use case the standard defines profiles. Each subsection describes such a profile by describing necessary content for that specific use case and providing insights into its purpose. The value of ‘/document/category’ is used to identify a CSAF document’s profile,” it added.

Last week, CISA published its Hardware Bill of Materials (HBOM) framework for Supply Chain Risk Management that creates a consistent, replicable avenue for vendors to engage with purchasers about hardware components in their current or prospective product acquisitions. The framework equips purchasers with the means to thoroughly evaluate and mitigate risks within their supply chains. It also includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.