CIS Control 16.6: Establish and Maintain a Severity Rating System for Application Vulnerabilities
Vulnerability severity rating systems transform reactive firefighting into strategic risk management. Without a consistent rating framework, organizations waste resources fixing low-impact issues while critical vulnerabilities slip through. This control ensures every discovered vulnerability is assessed, prioritized, and fixed before reaching production.
What this means
CIS Control 16.6 requires you to build and maintain a formal process that assigns severity levels to discovered application vulnerabilities based on objective criteria. This system must define what severity ratings mean (critical, high, medium, low), establish clear criteria for assigning them, and set minimum security thresholds that block code or applications from release until vulnerabilities meeting or exceeding those thresholds are remediated. The system creates accountability across development and security teams by making vulnerability prioritization transparent and enforceable.
How to comply
- 1.Define vulnerability severity levels with measurable criteria (CVSS scores, business impact, exploitability)
- 2.Document severity rating methodology and communicate it to all development and security teams
- 3.Establish minimum security acceptability gates that prevent code release when unresolved vulnerabilities exceed acceptable thresholds
- 4.Create a formal review process to assign severity ratings to all discovered vulnerabilities
- 5.Implement automated tooling to scan code and applications, rate findings, and flag releases that violate security gates
- 6.Track remediation timelines tied to severity level (e.g., critical fixes within 7 days, high within 30 days)
- 7.Audit and refine your severity criteria annually based on actual breach data and risk trends
Evidence auditors look for
- Documented vulnerability severity rating policy with defined CVSS thresholds and business impact criteria
- Code repository with enforced pre-commit scanning that blocks merges containing vulnerabilities above minimum threshold
- Release gate documentation showing security approval sign-off before production deployment
- Vulnerability tracking spreadsheet or system showing assigned severity levels and remediation timelines
- Audit logs demonstrating vulnerabilities were rated before remediation and gates were enforced
- Training records confirming development teams understand and follow the severity rating system
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vulnerability discovery, severity classification, and release-gate enforcement so your team spends time fixing critical issues instead of manually rating and tracking every finding.
See how GRCWatch handles this control automatically
Start free trial