びびなび : World : () World

Security Update: CMS Hybrid Cloud announcing Tenable update for Common Vulnerability Scoring System (CVSS) to version 3.1








CMS Cloud


Security Update: CMS Hybrid Cloud announcing Tenable update for Common Vulnerability Scoring System (CVSS) to version 3.1

________________________________________________________________________



Summary

Beginning *September 5th, 2024 *(previously communicated date September 2nd), the CMS Hybrid Cloud Team will transition from the Common Vulnerability Scoring System (CVSS) version 2 to CVSS version 3.1 for Tenable Security Center vulnerability scoring. *Customers will be responsible for remediating any findings* as a result of this change.

CVSS is a published standard used by organizations worldwide. The CVSS describes the principal characteristics of a vulnerability while organizing them by a numerical score reflecting its severity. This numerical score can then be translated into a qualitative representation such as low, medium, high, and critical to help assess and prioritize vulnerability management.

Consequently, this update may change the severity rating for certain vulnerabilities which would affect customer's CMS required remediation timelines [ https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook#weakness-remediation-and-mitigation-timeline ].

Benefits

* Switching to CVSS v3.1 scoring aligns with enterprise-wide scanning standards.
* Updating the latest scoring system additionally aligns us with Tenable. CVSS v2 is a dated scoring system.
* CVSS v3.1 provides the "Critical" rating. Previously, v2 could only support up to "High"

Expected Actions

While no customer action is required to perform the CVSS update, *customers are responsible for remediating any findings* as a result of this update.

Timeline

* *September 5th, 2024**:* Adoption of CVSS v3.1.

Learn More

* NIST's National Vulnerability Database on CVSS [ https://nvd.nist.gov/vuln-metrics/cvss ]
*

CMS Plan of Action and Milestones (POA&M) Handbook [ https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook ]

Questions or Concerns

We look forward to helping you and your team. Reach out to your Hybrid Cloud Hosting Coordinator with any questions.

For further help on this issue, please fill out a Hybrid Cloud Support ticket [ https://jiraent.cms.gov/plugins/servlet/desk/portal/22 ] specifying "*CMS Cloud: **Service Request" *and *Request Type* as "Security Hub: Finding".



Office of Information Technology




You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page [ https://public.govdelivery.com/accounts/USCMS/subscriber/new?category_id=USCMS_C176 ].

________________________________________________________________________

This email was sent to mshinji3056@gmail.com using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244


body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;} table.govd_hr {min-width: 100%;}