+PSS-03.04B

1. Übersicht

PSS-03.04B

The vulnerabilities are presented with references to the Common Vulnerabilities and Exposures (CVE) and assessments are based on:

1. The Common Vulnerability Scoring System (CVSS); and
2. The Exploit Prediction Scoring System (EPSS), the Stakeholder-Specific Vulnerability Categorization (SSVC) or other similar scoring metrics

in the latest version valid at the time of the assessment.

This information is accessible to all cloud customers and supports their risk assessment and follow-up actions, with references to vulnerability-specific measures where applicable.

Vulnerability-specific measures can for instance be found in the 'Vulnerability, Exploitability eXchange' (VEX) or the 'Common Security Advisory Frameworks' (CSAF).

The Common Vulnerability Scoring System (CVSS) assesses the severity of identified vulnerabilities (cf. OPS-18). The Exploit Prediction Scoring System (EPSS), the Stakeholder-Specific Vulnerability Categorization (SSVC) and other similar scoring metrics prioritise measures to be implemented for remediating or mitigating identified vulnerabilities. Both kinds of systems should be used in tandem.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html