In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and use the correct criteria to assess vulnerabilities.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known vulnerabilities and made it public. The agency shared its own deadlines for patches, first intended for federal agencies but useful as guidelines for the private sector as well. The CISA list is a noteworthy change in the cybersecurity space because it uses slightly different criteria than the Common Vulnerability Scoring System (CVSS), another key resource for assessing cyber vulnerabilities.

How are the two systems different? Take a look at the pros and cons of moving to the CISA catalog and away from the CVSS, and what it all means for security-conscious organizations.


One of the key differences between the CISA catalog and the CVSS is the criteria for prioritizing patches. CISA recommends patches based on exploitability, while the CVSS bases its recommendations on criticality.

Let’s explore those two concepts:

  • Exploitability — categorizing vulnerabilities and recommending patches based on actual exploits that have taken place.

  • Criticality — categorizing vulnerabilities and recommending patches based on a severity score assigned by the CVSS.

What Is the CVSS Scoring System?

To understand how the CVSS works, we need to examine its scoring system.

The CVSS is an open framework designed to catalog software vulnerabilities according to their characteristics and how severe they are. It uses three groups of metrics: Base, Temporal and Environmental.

  • The Base Score rates the severity of a vulnerability from zero to 10 according to its intrinsic properties, factors that stay constant at all times. In other words, in a worst-case scenario with no mitigation whatsoever, this is how severe the vulnerability will likely be.

  • The Temporal Score refers to factors that change over time. That also means it needs to be re-checked on an ongoing basis. As the temporal metric changes, it also modifies the Base Score.

  • The Environmental Score is influenced by the computing environment within which the vulnerability exists. This is up to each organization to tweak according to their own security measures. It affects both the Base and Temporal Scores.

The CVSS works well as a method of monitoring and ranking vulnerabilities on an ongoing basis according to a range of factors. It’s often accurate and reliable and can be used by all types of businesses or agencies.

However, the CVSS has its weak points.

The Drawbacks of CVSS

The main drawback of the CVSS scoring system is that it relies on what the scorer knows about a vulnerability. So, if you have a lot of information on a specific vulnerability and how it relates to your own systems, it’s possible to produce a very accurate and trustworthy CVSS result to make confident security decisions and take actions in the right order.

However, if you lack information about that vulnerability, the CVSS score will not be accurate.

So, what can businesses do instead? Is the CISA catalog a better alternative in many cases?

Why Switch to CISA?

The CISA catalog has one major advantage over the CVSS, prompting many companies to switch to it now that the catalog is open to the public. In essence, the CISA captures Common Vulnerability Exposures (CVEs) only when they have active exploits underway. This means it focuses on the most urgent patches — those that an attacker is exploiting.

The big difference here is that CISA puts exploitability first. No matter how severe a CVE is according to the CVSS (criticality), what really matters is whether an attacker is actually exploiting it. A possible risk, no matter how severe, is always less urgent than a proven, ongoing issue.

The CISA catalog also addresses a constant challenge for security teams. It helps justify taking business-critical apps offline to apply patches and issue updates.

Fixing a security issue often involves downtime, and even small amounts of downtime can cause significant disruption and cost money. Security teams must strike a balance between patching vulnerabilities and ensuring business continuity. However, it can be difficult to gain support for a patch that isn’t seen as highly necessary and urgent. Showing the CVE according to CISA can help.

Striking a Balance

With all that said, the CISA catalog isn’t perfect. After all, many unexploited vulnerabilities exist in the wild worthy of attention and prioritization. Just because a vulnerability has not yet been proven as exploited, does that mean it’s always less severe? Of course not. In fact, it could be the most dangerous of all.

Again, security teams must find the right balance. Both the CVSS and the CISA catalog are valuable resources for assessing vulnerabilities and choosing what to put first regarding patches and security procedures.

In the end, don’t think of the CISA catalog as an alternative to the CVSS. Instead, look at it as a useful addition. Both criticality and exploitability are important metrics to consider when assessing threats. What’s more, security teams still need to exercise their own judgment and discretion when evaluating vulnerabilities. It’s up to you to decide where to focus your efforts and when to justify downtime.

More from Data Protection

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…