It's the wrong strategy. What what they should do instead is push both US gov entities and vulnerability management tool vendors to properly embrace CVSS 4.0. The environmental, threat, and supplemental metrics[0] should be sufficient to express all of this (even the KEV status). In fact, the KEV list should really just be a CVSS 4.0 overlay on top of the base score. Instead, we have vulnerability management tool vendors upselling CISA KEV add-ons and pushing customers to use various proprietary severity scores. The US gov is stuck "managing" vulnerabilities with manual spreadsheets today and it will stay that way until
they make a real effort to evolve severity scoring.
[0] https://www.first.org/cvss/v4.0/specification-document
