Update CISA Track* to Monitor and version

sei-vsarvepalli · sei-vsarvepalli · commit bfbacf69c6e8 · 2025-08-05T15:37:26.000-04:00
diff --git a/src/ssvc/outcomes/cisa/scoring.py b/src/ssvc/outcomes/cisa/scoring.py
@@ -33,6 +33,14 @@
     "CISA recommends remediating Track* vulnerabilities within standard update timelines.",
 )
 
+
+_MONITOR = DecisionPointValue(
+    name="Monitor",
+    key="M",
+    description="The vulnerability contains specific characteristics that may require closer monitoring for changes. "
+    "CISA recommends remediating Monitor vulnerabilities within standard update timelines.",
+)
+
 _ATTEND = DecisionPointValue(
     name="Attend",
     key="A",
@@ -50,7 +58,7 @@
     "CISA recommends remediating Act vulnerabilities as soon as possible.",
 )
 
-CISA = CisaDecisionPoint(
+CISA1 = CisaDecisionPoint(
     name="CISA Levels",
     key="CISA",
     description="The CISA outcome group. "
@@ -63,13 +71,27 @@
         _ACT,
     ),
 )
+
+CISA2 = CisaDecisionPoint(
+    name="CISA Levels",
+    key="CISA",
+    description="The CISA outcome group. "
+    "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+    version="1.0.1",
+    values=(
+        _TRACK,
+        _MONITOR,
+        _ATTEND,
+        _ACT,
+    ),
+)
 """
 The CISA outcome group. Based on CISA's customizations of the SSVC model.
 See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
 """
 
 
-VERSIONS = (CISA,)
+VERSIONS = (CISA2,)
 LATEST = VERSIONS[-1]
 
 
