Based on the information from the NIST CSWP 41, here is a table comparing CVE, EPSS, and KEV across the columns: Purpose, Scope, and Limitations.
| Component | Purpose | Scope | Limitations |
|---|---|---|---|
| CVE (Common Vulnerabilities and Exposures) | Provides a standardized enumeration of known vulnerabilities in software and hardware to enable consistent identification and tracking. | Comprehensive list covering all known vulnerabilities in IT products (software and hardware), widely used globally; supported by the National Vulnerability Database (NVD) [7][8]. | Does not assess exploitation likelihood or prioritize remediation; serves as a catalog, not a risk assessment tool. |
| EPSS (Exploit Prediction Scoring System) | Delivers daily updated probabilities estimating the likelihood that a CVE will be exploited in the wild within the next 30 days, aiding proactive remediation planning [4]. | Applies to all CVEs with scores, used by 111 security products as of January 2025 [10]; based on data from enterprise sensor networks monitoring exploitation activity. | Underestimates probabilities for vulnerabilities already exploited (designed to exclude past data [1]); accuracy varies across versions (v1, v2, v3), with v3 (2023-03-07) being most reliable but still unvalidated for past exploits. |
| KEV (Known Exploited Vulnerability Lists) | Identifies vulnerabilities confirmed to have been exploited in the past, mandating remediation (e.g., within two weeks per BOD 22-01 [9]) for prioritized action. | Focuses on vulnerabilities relevant to U.S. government or critical infrastructure systems (e.g., CISA list with 1228 entries vs. 260k CVEs in Dec 2024, 0.5% coverage [5]); broader scopes exist from security companies [6][13]. | May not be comprehensive due to limited scope (e.g., U.S.-centric focus); lacks measurement of coverage; status of non-listed vulnerabilities remains unknown. |
Actionable Insights
- For CVE: Use it as a foundational inventory tool. Integrate with NVD (https://nvd.nist.gov/) to maintain an up-to-date vulnerability list for your systems.
- For EPSS: Leverage daily scores (available via EPSS sources [4]) to forecast short-term risks, but adjust for known exploits using LEV (as proposed in CSWP 41) to avoid underestimation.
- For KEV: Align remediation timelines with BOD 22-01 if applicable (e.g., government contracts). Compare your KEV coverage against CISA’s to identify potential gaps, and consider supplementing with broader commercial KEV lists.
- Strategic Context: As of August 27, 2025, 11:08 AM EDT, no updates to CSWP 41 have been noted since May 19, 2025. Early adoption of LEV (which builds on EPSS and KEV) could provide a compliance edge, especially for regulated industries, by quantifying and addressing unlisted risks.
Leave a Reply