It is important to be able to assign risk to vulnerabilities, so that decisions regarding remediation can be made.  One way to do this is to “score” a vulnerability using a pre-defined algorithm with some number of inputs that are either fixed or calculated.  With the Frameworx 12.5 release, the Information Model (SID) has been updated to support scoring.  At a minimum, the model supports NIST’s Common Configuration Scoring System (CCSS), the Common Vulnerability Scoring System (CVSS), and the Common Misuse Scoring System (CMSS), but it is expected that the generalized nature of this model makes it a contender for other types of scoring.  <br/>The next five figures illustrate the scoring model.  Data samples have been included to make the model more understandable.  If you would like more information on the specifics of configuration, vulnerability, or misuse scoring, consult the respective NIST documents.<br/>The Security Vulnerability Category Types figure shows the relationships between a Security Vulnerabilities and the Scoring System based on the classification of the Vulnerability (software flaw, software feature misuse, or software configuration issue).<br/>