CCS uses the scoring guidelines published by Common Vulnerability Scoring System (CVSS 2.0) to calculate the risk scores for the assets that failed when evaluated against the SCAP-expressed data stream. You must ensure that you import the CVSS values for the corresponding CVE IDs to calculate the risk scores for the assets.
As per the recommendation of NIST, CCS must use the CVSS base scores to prioritize the remediation of known security-related software flaws. When a new vulnerability is publicly announced, a new CVE ID is created and the CVSS base scores are computed for the vulnerability. The CVSS base scores are then added to the National Vulnerability Database (NVD).
CCS uses the base metrics model of CVSS to calculate the risk scores for the assets.
A rule that represents a software flaw has references to the CVE IDs. As a single rule can point to multiple CVE IDs, the base score of all such CVE IDs are picked up from the CVSS. The Confidentiality (C), Integrity (I) and Availability (A) values of the CVSS entry with the highest base score are used to calculate the adjusted risk score for the assets.
CCS lets you calculate the adjusted base score for a pair of rule and an asset.