Cybersecurity pillar

Exposure management maturity

Build an attack surface management program that inventories assets, prioritizes exploitable risk, and measures remediation accountability using BOD 23-01, MITRE ATT&CK, CVSS v4.0, and CISA Known Exploited Vulnerabilities (KEV).CISA BOD 23-01MITRE ATT&CKCVSS v4.0CISA KEV

Establish reliable asset intelligence

Sustain an authoritative inventory that merges internal sources with external attack surface discoveries.

  • Unify discovery channels. Combine CMDBs, cloud control-plane APIs, OT inventories, and attack surface management outputs to create daily reconciled asset records tagged by owner, criticality, and internet exposure.CISA BOD 23-01
  • Enforce evidentiary attributes. Require authoritative sources for hostname, serial, business service, and data classification so remediation tickets inherit context that speeds approvals and reduces false positives.
  • Instrument continuous scans. Configure authenticated scanning for internal assets and high-signal external discovery for internet-facing assets with service fingerprints, TLS hygiene, and software bill of materials alignment.

Prioritize by exploitability

Shift from severity-only triage to attacker-relevant scoring and response sequencing.

  • Anchor to CISA KEV. Treat KEV entries as emergency patches with strict SLAs and automated change approvals; link every KEV CVE to playbooks that verify exploit mitigations and validate rollback.
  • Adopt CVSS v4.0 exploitability. Use CVSS v4.0 exploitability sub-scores and environmental metrics to rank vulnerabilities, incorporating exposure duration and safety requirements for OT and safety-critical workloads.CVSS v4.0
  • Map to ATT&CK techniques. Tie vulnerabilities and misconfigurations to ATT&CK techniques to predict likely post-exploitation paths and prioritize controls such as segmentation, logging, and identity hardening.MITRE ATT&CK

Accelerate remediation and oversight

Convert prioritized findings into accountable action with policy-backed SLAs and executive reporting.

  • Set policy SLAs by asset class. Define remediation deadlines for internet-facing, crown-jewel, and OT assets that mirror BOD 23-01 frequency expectations and contractual uptime requirements.CISA BOD 23-01
  • Automate change workflows. Integrate ticketing with infrastructure-as-code repos and maintenance windows so patching, configuration baselining, and compensating controls ship with peer review and rollback plans.
  • Report executive risk posture. Publish weekly dashboards covering mean time to remediate, KEV burn-down, attack path closure, and SLA adherence by business unit to demonstrate exposure reduction to leadership and regulators.