RA-5 / SI-2 / A.12.6.1 / CIS-7.2 NIST SP 800-53 Rev 5

CVE-driven prioritisation

Demonstrate that the organization systematically identifies, prioritizes, and remediates vulnerabilities based on CVE severity, exploitability, and threat intelligence, with documented evidence of accelerated response to high-risk exposures.

Description

What this control does

CVE-driven prioritisation is a vulnerability management approach that ranks and schedules remediation activities based on the presence of publicly disclosed Common Vulnerabilities and Exposures (CVE) identifiers, their severity scores (CVSS), exploitability metrics, and threat intelligence indicating active exploitation. Organizations integrate CVE feeds from sources like NVD, CISA KEV, and vendor advisories into their vulnerability management platforms to automatically or semi-automatically triage findings. This control ensures that vulnerabilities with known exploit code, observed in-the-wild exploitation, or high business impact receive accelerated patching timelines, reducing the window of exposure to weaponized threats.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Attackers exploit publicly known vulnerabilities (CVEs) for which patches are available but not yet applied, achieving initial access or privilege escalation
Critical vulnerabilities in internet-facing assets remain unpatched beyond vendor-recommended timelines due to lack of prioritization, enabling mass exploitation
Remediation resources are exhausted on low-severity findings while high-CVSS or actively exploited CVEs remain untreated, increasing breach likelihood
Zero-day or CISA Known Exploited Vulnerabilities (KEV) are not flagged for emergency patching, allowing adversaries to exploit time-sensitive attack windows
Vulnerability scan results lack CVE mapping or CVSS scoring, preventing analysts from distinguishing critical exposures from noise and delaying incident response
Business-critical systems affected by CVEs with public exploit code are not isolated or mitigated within SLA timelines, leading to operational disruption or data exfiltration
Inconsistent CVE data sources or stale threat feeds result in missing or outdated prioritization signals, causing the organization to overlook emerging threats

Live threat patterns this control mitigates:

HIGH ICS / OT Device Vulnerability Vulnerability disclosed in an industrial / building-control device. Implies the device may be reachable from the corporate network… HIGH OT / Industrial Control System Attack Attack targeting operational technology — pumps, controllers, processing equipment. Implies OT exposure to the internet, default credentials on…

Testing procedure

How an auditor verifies this control

Obtain the organization's vulnerability management policy and review documented criteria for CVE-based prioritization, including CVSS thresholds, exploitability factors, and remediation SLAs for each severity tier.
Inventory all vulnerability management tools, asset scanners, and threat intelligence feeds in use, confirming integration with authoritative CVE sources such as NVD, CISA KEV catalog, vendor security bulletins, and EPSS scores.
Select a sample of 20-30 recent vulnerability scan reports spanning the past 90 days and verify that each identified finding includes CVE identifiers, CVSS base scores, and assigned priority levels.
Cross-reference CISA Known Exploited Vulnerabilities catalog against the organization's asset inventory and remediation tracker to confirm all applicable KEV entries have documented mitigation plans with emergency timelines.
Review remediation tickets or change records for five high-severity CVEs (CVSS ≥7.0) discovered in the sample period, verifying that patching or compensating controls were applied within the organization's defined SLA (e.g., 30 days for critical, 90 days for high).
Interview vulnerability management and security operations personnel to assess how threat intelligence (exploit availability, active exploitation campaigns) influences re-prioritization of CVEs outside standard CVSS scoring.
Examine dashboard configurations, automated alert rules, or workflow automation in vulnerability platforms to confirm high-priority CVEs trigger notifications, escalations, or auto-assignment to remediation teams.
Test a simulated scenario by identifying a newly published CVE with active exploitation and trace how the organization's process would detect, prioritize, assign, and track remediation within documented timelines.

Evidence required Collect vulnerability management policy excerpts defining CVE prioritization criteria and remediation SLAs; screenshots or exports from vulnerability scanning platforms showing CVE identifiers, CVSS scores, and priority classifications for sampled findings; remediation ticket records or change management logs demonstrating timely patching of high-severity CVEs; configuration files or API integration settings proving active feeds from NVD, CISA KEV, and threat intelligence sources; interview notes or process flowcharts documenting escalation and re-prioritization workflows.

Pass criteria The control passes if all sampled vulnerability findings include CVE identifiers and CVSS scores, all CISA KEV-listed vulnerabilities have documented mitigation within emergency SLAs, and at least 90% of high-severity CVEs were remediated within the organization's defined timelines with evidence of prioritization based on exploitability and threat intelligence.

Where this control is tested

Audit programs including this control

ICS / OT Device Vulnerability — Audit Program

Vulnerability disclosed in an industrial / building-control device. Implies the device may be reachable from the corporate network…