When discussing vulnerabilities, we are discussing the feature or condition that, if exploited by a threat (natural or man-made), renders an entity (i.e., an entire organization or any of its constituent parts) susceptible to a risk. The CRR focuses on a specific critical service of the organization. Each aspect of the service is discussed in terms of the various assets that support the service. A vulnerability in the service is a result of a vulnerability in one or more of its assets. Assets are divided into the categories of people, information, technology, and facilities.
Distribution Statement A: Approved for Public Release; Distribution is Unlimited 5 Vulnerability management is a key component in planning for and determining the appropriate implementation of controls and the management of risk. It is reasonable to say that vulnerability management is central to
cyber resilience. The topics of the other CRR domains provide information about vulnerable conditions (Asset Management, Configuration and Change Management, External Dependencies Management, and Situational Awareness) or provide for a response to the vulnerable conditions (Controls Management, Incident Management, Service Continuity Management, Risk Management, and Training and Awareness).
Vulnerability management assures that the organization understands its weaknesses so that it can plan
Exploitation of a vulnerability by a threat results in a risk to the organization. Expanding the discussion from what are the vulnerabilities to how vulnerable is the organization to disruption or what is the impact of exploiting this vulnerability moves beyond the domain of vulnerability management into a discussion of risk management. It is in risk management that we seek to quantify the impact of a realized hazard. This context is discussed more completely in the Risk Management Resource Guide, Volume 7 of this series. An organization’s resolution of vulnerabilities and its disposition of risk overlap to a large degree. This resource guide will discuss aspects of risk management as required to clarify the analysis, categorization, and resolution of vulnerabilities.