CERTCC · ahouseholder · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025
@@ -4,6 +4,6 @@
 
 We are now automatically generating the schema files for SSVC based on their
 corresponding Pydantic models. This allows us to keep the schema files in sync
-with the code more easily. However, it required us to make some changes to the 
-file names. So we've left behind some soft links from the original file names 
-to help ease the transition.
+with the code more easily. However, it required us to make some changes to the
+file names. So we've left behind some soft links from the original file names
+to help ease the transition.
@@ -29,6 +29,7 @@ For the overall SSVC project and documentation, we need a scheme that better ref
 - **Patch** = subsequent updates in the same month or smaller corrections  
 
 **Significant updates** include:  
+
 - Adding or restructuring sections in ways that affect usability  
 - Adding/revising decision points, tables, or other SSVC objects  
 - Adding features that change how SSVC is applied  
@@ -39,6 +40,7 @@ Months use single digits (`2025.6`) to keep versions concise.
 ## Rationale
 
 CalVer suits SSVC’s character as a living framework:  
+
 - Clearly signals recency (date in the version number)  
 - Fits both documentation-focused and object-focused updates  
 - Avoids SemVer debates over what counts as “major” or “minor”  
@@ -61,6 +63,7 @@ The CalVer scheme will be applied via Git tags and GitHub releases.
 ## Alternatives Rejected
 
 **Continue SemVer for project/docs**  
+
 - **Good:** Maintains continuity  
 - **Bad:** Cannot easily express documentation updates independent of object versions  
 

@@ -7,7 +7,7 @@
     - An interest in using SSVC in a vulnerability management process
     - Basic familiarity with SSVC
 
-    If you are unfamiliar with SSVC, we suggest you start with the [Learning SSVC](../tutorials/index.md) section.
+    If you are unfamiliar with SSVC, we suggest you start with the [SSVC Overview](../tutorials/ssvc_overview.md) section.
     [Understanding SSVC](../topics/index.md) provides necessary background detail.
     For technical reference, see [Reference](../reference/index.md).
 

@@ -50,4 +50,3 @@ docker-compose --project-directory=docker up api
 ```
 
 Then browse to `http://localhost:8001/docs` to access the API documentation.
-
@@ -160,7 +160,6 @@ the prioritization of vulnerabilities based on their EPSS percentiles.
     This way, even if multiple vulnerabilities fall into the same SSVC category,
     you can still prioritize them based on their predicted likelihood of exploitation.
 
-
 ## Conclusion
 
 In this how-to, we've demonstrated how to use EPSS percentiles as an amplifier

@@ -10,14 +10,14 @@ We have organized the SSVC documentation into four main sections:
 
 <div class="grid cards" markdown>
 
-- :fontawesome-regular-eye:{ .lg .middle } [**SSVC Overview**](ssvc_overview.md)
+- :fontawesome-regular-eye:{ .lg .middle } [**SSVC Overview**](tutorials/ssvc_overview.md)
 
     ---
 
     A beginner's guide to SSVC.
     This section is for people who have never heard of SSVC.
 
-    [:octicons-arrow-right-24: An Overview of SSVC](ssvc_overview.md)
+    [:octicons-arrow-right-24: An Overview of SSVC](tutorials/ssvc_overview.md)
 
 - :material-clipboard-check:{ .lg .middle } [**SSVC How To**](howto/index.md)
 

@@ -3,7 +3,7 @@
 Decision Point groups provide collections of related Decision Points for some
 specific purpose.
 
-With the introduction of [Decision Tables](decision_tables.md), 
+With the introduction of [Decision Tables](decision_tables.md),
 Decision Point groups are less important than they once were, and may be
 removed in a future release.
 However, they can still be useful for documentation and
@@ -17,4 +17,4 @@ for some programmatic uses.
 
 ## CVSS Decision Point Groups
 
-::: ssvc.dp_groups.cvss.collections
+::: ssvc.dp_groups.cvss.collections
@@ -4,4 +4,4 @@
 
 ::: ssvc.decision_points.base
 
-::: ssvc.decision_points.helpers
+::: ssvc.decision_points.helpers
@@ -4,4 +4,4 @@
 
 ::: ssvc.decision_tables.base
 
-::: ssvc.decision_tables.helpers
+::: ssvc.decision_tables.helpers
@@ -1,10 +1,14 @@
 # SSVC Code Documentation
 
 This section provides documentation for the SSVC Python modules.
+
 These include:
 
-- [Decision Points](decision_points.md) and [Outcomes](outcomes.md) 
+- [Decision Points](decision_points.md)
 - [Decision Tables](decision_tables.md)
+- [Decision Point Groups](decision_point_groups.md) (Deprecated)
+- [Namespaces](namespaces.md)
+- [Selections](selection.md)
 - [CSV Analyzer](analyze_csv.md)
 - [Policy Generator](policy_generator.md)
 - [Namespaces](namespaces.md)

@@ -58,7 +58,7 @@ end
 ```
 
 !!! warning "Reserved Namespace Strings"
-    
+
     The SSVC project has _reserved_ the following namespace strings:
 
     - `example` and `x_example`are _reserved_ for use in documentation or as 
@@ -74,7 +74,6 @@ end
     object using either of these strings will result in an error in the Python
     implementation of SSVC.
 
-
 !!! info inline end "Current Registered Namespaces"
 
     The SSVC project currently has a set of registered namespaces that are
@@ -89,8 +88,6 @@ end
         print(f"- {ns.value}")
     ```
 
-
-
 #### Registered Namespace
 
 Registered namespaces are those that are explicitly defined in the SSVC project.
@@ -145,7 +142,7 @@ Registered namespaces are intended to be used as follows:
     context within the same namespace.
 
 !!! example "Fragment Usage in Registered Namespaces"
-    
+
     We use the `nist` namespace for decision points based on NIST standards, and
     fragments to differentiate between decision points based on different NIST publications,
     e.g., `nist#800-30` for decision points based on NIST Special Publication 800-30.
@@ -196,7 +193,6 @@ we expect that this will rarely lead to conflicts in practice.
     `x_example.test#test`, and there are no guarantees of global uniqueness for the
     decision points in the `x_example.test#test` namespace.
 
-
 !!! info "Documentation and Test Namespaces"
 
     Any namespace starting with `x_example` can be used in documentation or as examples,
@@ -220,7 +216,6 @@ Extensions are optional and may be used to refine or clarify existing decision p
 Extensions allow SSVC users to create decision points that are specific to their
 constituencies or to provide translations of existing decision points.
 
-
 !!! info "Namespace Extension Semantic Requirements"
 
     Extensions must follow the following requirements:
@@ -246,7 +241,6 @@ constituencies or to provide translations of existing decision points.
     as described above instead of an extension.
     Extensions are not intended to be used to create new decision points.
 
-
 #### Namespace Extension Structure
 
 The first extension segment is reserved for an optional BCP-47 language tag, which may be left empty.
@@ -347,7 +341,6 @@ base_ns -->|/| first
     The structure of the namespace string is intended to show inheritance for
     variations on SSVC objects. 
 
-
 !!! tip "Extension Order Matters"
 
     SSVC namespace extension order carries semantic meaning. 

@@ -51,7 +51,6 @@ from ssvc.decision_tables.helpers import dt2df_md
 print(dt2df_md(DT))
 ```
 
-
 [^1]: In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as
 if they were combined into a single factor: in other words, the priority increases regardless which of the two  impact factors was increased.
 We therefore combine [Safety Impact](safety_impact.md) and

@@ -0,0 +1,19 @@
+# Outcome Decision Points
+
+SSVC outcomes are just Decision Point objects.
+The only distinction is that these Decision Points are usually intended to be used
+as the *outputs* of a decision, whereas most other Decision Points are intended to serve as *inputs* to a decision.
+However, there are use cases (e.g., [compound decision points](compound_decision_points.md))
+where an outcome of one decision may feed into another decision, so the
+distinction between *input* and *output* is somewhat arbitrary. Hence, we chose to use the same
+data structure for both.
+
+Following is a list of Decision Points often used as outcomes in SSVC decision models.
+
+```python exec="true" idprefix=""
+from ssvc.outcomes import ALL
+from ssvc.doc_helpers import example_block
+
+for dp in ALL:
+    print(example_block(dp))
+```
@@ -9,7 +9,6 @@ print(example_block(LATEST))
 
 {% include-markdown "../../_includes/safety_cvss_ssvc.md" %}
 
-
 Suppliers necessarily have a rather coarse-grained perspective on the broadly defined [Safety Impact](safety_impact.md) Decision Point.
 Therefore we simplify the above into a binary categorization:
 
@@ -36,7 +35,6 @@ from ssvc.decision_tables.helpers import dt2df_md
 print(dt2df_md(DT))
 ```
 
-
 ## Prior Versions
 
 ```python exec="true" idprefix=""

@@ -48,7 +48,6 @@ from ssvc.decision_tables.helpers import dt2df_md
 print(dt2df_md(DT))
 ```
 
-
 ## Alternative Utility Outputs
 
 Alternative heuristics can plausibly be used as proxies for adversary utility.

@@ -4,7 +4,7 @@
 
     This section assumes that you are already familiar with SSVC and want to look up specific details.
 
-    If you are new to SSVC, you may want to start with the [Learning SSVC](../tutorials/index.md) section.
+    If you are new to SSVC, you may want to start with the [Learning SSVC](../tutorials/ssvc_overview.md) section.
     If you are already familiar with SSVC and want to learn more, you may want to start with either the
     [Understanding SSVC](../topics/index.md) or [SSVC How To](../howto/index.md) sections.
 

@@ -2,7 +2,7 @@
 
 As we have continued to refine our concept of SSVC, we have an increasing understanding of the importance of
 [*Decision Points*](../reference/decision_points/index.md) as the foundational blocks from which the rest of the
-SSVC concept is built. A second, but less foundational, concept are the [*Outcomes*](../reference/code/outcomes.md) that
+SSVC concept is built. A second, but less foundational, concept are the [*Outcomes*](../reference/decision_points/outcomes.md) that
 provide a vocabulary to describe the results of a decision.
 
 ## Decision Points and Outcomes as Bricks
@@ -77,7 +77,7 @@ to decide how much of that flexibility to use.
 ## SSVC Decision Models as Kits
 
 Similarly, SSVC provides a set of "bricks" in the form of [decision points](../reference/decision_points/index.md)
-and [outcomes](../reference/code/outcomes.md).
+and [outcomes](../reference/decision_points/outcomes.md).
 We have provided a set of [example decision models](../howto/index.md) and [decision tables](../howto/index.md) to get you started.
 You might choose to simply use what we've provided as a starting point.
 Or you might already recognize that our example gets the structure of the decision model right,

@@ -7,7 +7,7 @@
     - Basic familiarity with SSVC
     - An interest in learning more about the details of SSVC
 
-    If you are unfamiliar with SSVC, we suggest you start with the [Learning SSVC](../tutorials/index.md) section.
+    If you are unfamiliar with SSVC, we suggest you start with the [SSVC Overview](../tutorials/ssvc_overview.md) section.
     [SSVC How-To](../howto/index.md) provides practical guidance for implementing SSVC in your organization.
     For technical reference, see [Reference](../reference/index.md).
 

@@ -0,0 +1,37 @@
+# Other Resources
+
+Below are links to other resources that provide additional information about SSVC.
+
+!!! tip "SSVC Sightings"
+
+    We keep a running list of articles and other SSVC sightings in a [GitHub Discussion](https://github.com/CERTCC/SSVC/discussions/291)
+
+## Videos
+
+Provided below are videos that provide an overview of SSVC and the implementation of decision models.
+
+| Source | Video                                                                                                                            |
+| ------ |----------------------------------------------------------------------------------------------------------------------------------|
+| SEI Podcast Series | [A Stakeholder-Specific Approach to Vulnerability Management](https://youtu.be/wbUTizBaXA0)                                      |
+| CISA | [SSVC On-Demand Training](https://youtu.be/NqiwyUPLy6I)                                                                          |
+| Nucleus Security | [SSVC and Decision Trees](https://youtu.be/BKVvmAaCnSs)                                                                          |
+| Nucleus Security | Panel Discussion: [Using Decision Trees for Vulnerability Prioritization with SSVC](https://youtu.be/25RHdcSwHCg) |
+| Nucleus Security | [What is SSVC?](https://youtu.be/LV6PclEQ3QA)                                                                                    |
+| ICS Cybersecurity Academy | [Create your own SSVC decision tree for ICS patching](https://youtu.be/MLkA2N3aXK4)                                              |
+| ICS Cybersecurity Academy | [SSVC: A great replacement for CVSS in ICS?](https://youtu.be/1T36ieOqzNw)                                                       |
+| Waterfall Security Solutions | Industrial Security Podcast Eps. 102: [Stakeholder-Specific Vulnerability Categorization (SSVC)](https://youtu.be/n5tVYjGxFj0)   |
+
+## Other Content
+
+We've collected a list of articles and blog posts that provide additional information about SSVC.
+
+| Source        | Link                                                                                                                                                                                                                                    |
+|- -------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SEI           | [Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization](https://insights.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/)         |
+| CISA          | [Stakeholder-Specific Vulnerability Categorization (SSVC)](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)                                                                                                 |
+| Qualys        | [Effective Vulnerability Management with Stakeholder Specific Vulnerability Categorization (SSVC) and Qualys TruRisk](https://blog.qualys.com/product-tech/2022/11/30/effective-vulnerability-management-with-ssvc-and-qualys-trurisk)  |
+| Vulcan Cyber  | [The SSVC risk prioritization method: what it is, when to use it, and alternatives](https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/)                 |
+
+!!! question "Missing Something?"
+
+    Have a link to something we missed? Let us know in an [issue](https://github.com/CERTCC/SSVC/issues/new).
Original file line number	Diff line number	Diff line change
Expand Up		@@ -50,4 +50,3 @@ docker-compose --project-directory=docker up api
		```

		Then browse to `http://localhost:8001/docs` to access the API documentation.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,4 +4,4 @@

		::: ssvc.decision_points.base

		::: ssvc.decision_points.helpers
		::: ssvc.decision_points.helpers
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,4 +4,4 @@

		::: ssvc.decision_tables.base

		::: ssvc.decision_tables.helpers
		::: ssvc.decision_tables.helpers
-Original file line number
+Diff line change
@@ Expand Up / @@ -48,7 +48,6 @@ from ssvc.decision_tables.helpers import dt2df_md @@
     print(dt2df_md(DT))
     ```
     ## Alternative Utility Outputs
     Alternative heuristics can plausibly be used as proxies for adversary utility.
@@ Expand Down @@