The Common Vulnerabilities and Exposures (CVE®) Program announced today it is expanding its partnership with the Cybersecurity and Infrastructure Security Agency (CISA) for managing the assignment of CVE Identifiers (IDs) for the CVE Program.
CISA is now designated a Top-Level Root CVE Numbering Authority for industrial control systems (ICS) and medical device vendors participating as CVE Numbering Authorities (CNAs). CNAs are organizations authorized to assign CVE IDs for vulnerabilities affecting products within a distinct scope. A Top-Level Root CNA, such as CISA, manages a group of CNAs within a given domain or community and may assign CVE IDs to vulnerabilities.
As the Top-Level Root for ICS and medical devices, CISA is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.