Update CISA Track* to Monitor and version

[sei-vsarvepalli]

• resolves #699

CISA uses 2.0.3 for the Decision Table Version as the current one in various places. The next version 2.0.4 is expected to get rid of Track* in favor of the Monitor as guidance provided by Jono in May 2025.

[ahouseholder]

What's different between this and

• #742

?

I had been keeping #742 in sync as we merged into main, but holding it as a draft PR so we didn't accidentally merge it until CISA had their changes ready. Also, #742 has more changes in it than just the outcome object in python.

[ahouseholder]

Converting to draft to avoid premature merge.

[sei-vsarvepalli]

What's different between this and

• Replace Track*/Track * with Monitor in CISA-based decision model (2nd try) #742

?

I had been keeping #742 in sync as we merged into main, but holding it as a draft PR so we didn't accidentally merge it until CISA had their changes ready. Also, #742 has more changes in it than just the outcome object in python.

Yeh the #742 diverged too much away from this base. So I just moved to make a smaller PR specific only to this issue - programmatically. It is required for the Decision Tables that I am generating to work properly.

[ahouseholder]

Ok, but we can't merge this until CISA's public docs are updated. Two I'm aware of are:

• [ ] https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
• [ ] https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf

[sei-vsarvepalli]

Hello @j---

Can we get your help in advancing resolution to this? Our hope for September publish release is that this is consistent with CISA and is accurate, especially in the public forums.