+PSS-03 Informing Customers about Known Vulnerabilities
---+PSS-03.01B
---+PSS-03.02B
---+PSS-03.03B
---+PSS-03.04B
---+PSS-03.05B
---+PSS-03.01AC
---+PSS-03.02AC
---+PSS-03 Supplementary Information - Complementary Customer Criteria

1. Übersicht

PSS-03 Informing Customers about Known Vulnerabilities

-
PSS-03.01B The cloud service provider ensures through a coordinated process that cloud service customers have access to regularly updated information about known vulnerabilities associated with the cloud service that may impact the information security of the customer. This includes:

1. Known-exploited vulnerabilities;
2. Known vulnerabilities for which a patch and/or mitigating measures are provided by the cloud service provider (N-Day vulnerabilities), with appropriate references to the patch/measure; and
3. Known vulnerabilities for which a patch and/or mitigating measures are unlikely to be provided by the cloud service provider (Forever-Day vulnerabilities), along with a justification for why they are not provided.

These pertain to the provided cloud service and assets provided by the cloud service provider that the cloud service customers have to install, provide or operate within their own responsibility.

This criterion supports transparency in vulnerability management. It requires the cloud service provider to proactively inform customers about vulnerabilities that may pose a residual risk due to the absence of remediation options. Such disclosures help customers assess their exposure and implement compensating controls where necessary.

Information about known-exploited vulnerabilities and known vulnerabilities can include, for example, the information about vulnerabilities in authorisation mechanisms obtained from the validation process carried out as part of PSS-09.
PSS-03.02B The information provided to the cloud service customers includes, where available, a description of applicable and planned remediation or mitigation measures for the identified vulnerabilities.
PSS-03.03B These vulnerabilities are also identified based on data from a list of software components or Software Bill of Materials (SBOM) data.

Although the cloud service provider has to identify the vulnerabilities based on SBOM data to fulfil this criterion, this SBOM data need not be handed over to the customer to fulfil the criterion.
PSS-03.04B The vulnerabilities are presented with references to the Common Vulnerabilities and Exposures (CVE) and assessments are based on:

1. The Common Vulnerability Scoring System (CVSS); and
2. The Exploit Prediction Scoring System (EPSS), the Stakeholder-Specific Vulnerability Categorization (SSVC) or other similar scoring metrics

in the latest version valid at the time of the assessment.

This information is accessible to all cloud customers and supports their risk assessment and follow-up actions, with references to vulnerability-specific measures where applicable.

Vulnerability-specific measures can for instance be found in the 'Vulnerability, Exploitability eXchange' (VEX) or the 'Common Security Advisory Frameworks' (CSAF).

The Common Vulnerability Scoring System (CVSS) assesses the severity of identified vulnerabilities (cf. OPS-18). The Exploit Prediction Scoring System (EPSS), the Stakeholder-Specific Vulnerability Categorization (SSVC) and other similar scoring metrics prioritise measures to be implemented for remediating or mitigating identified vulnerabilities. Both kinds of systems should be used in tandem.
PSS-03.05B The cloud service provider consults the vulnerability information of its suppliers and service organisations at least daily. The published vulnerabilities are analysed in regards to their potential impact on the cloud service, and handled in accordance with the vulnerability handling process (cf. OPS-18). If the supplier or service organisation does not provide daily information, the related risk is managed according to OIS-07.

There can be various ways to obtain information about vulnerabilities from suppliers and service organisations. The criteria does not demand a particular way for obtaining this information but that the information is obtained at least daily.
PSS-03.01AC Assets provided by the cloud service provider, which must be installed, provided or operated by cloud service customers within their area of responsibility, are equipped with automatic update mechanisms. After approval by the respective cloud service customer, software updates are rolled out by the cloud service provider.

Assets provided by the cloud service provider that cloud service customers have to install, deploy or operate themselves in their area of responsibility are for example local software clients and apps as well as tools for integrating the cloud service.

If the cloud service relies on other cloud services, this information should incorporate or refer to the vulnerabilities of those other cloud services in order for this criterion to be met.
PSS-03.02AC Vulnerabilities are disclosed in accordance with the Common Security Advisory Framework Version 2.0 or higher, and as specified in BSI's Technical Guideline TR-03191.

Assets provided by the cloud service provider that cloud service customers have to install, deploy or operate themselves in their area of responsibility are for example local software clients and apps as well as tools for integrating the cloud service.

If the cloud service relies on other cloud services, this information should incorporate or refer to the vulnerabilities of those other cloud services in order for this criterion to be met.
PSS-03 Supplementary Information - Complementary Customer Criteria Cloud service customers ensure with suitable controls that the obtained vulnerability information is incorporated timely into their own risk management, evaluated and, if necessary, taken into account in their own area of responsibility.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum