The Common Vulnerabilities and Exposures (CVE®) Program announced it is granting authority to the Cybersecurity and Infrastructure Security Agency (CISA) for managing the assignment of CVE Identifiers (IDs) for the CVE Program. 

CISA, which sponsors the CVE Program, is now also designated a Top-Level Root CVE Numbering Authority for industrial control systems (ICS) and medical device vendors participating as CVE Numbering Authorities (CNA).  CNAs are organizations authorized to assign CVE IDs for vulnerabilities affecting products within a distinct scope.  A Top-Level Root CNA, such as CISA, manages a group of CNAs within a given domain or community and may assign CVE IDs to vulnerabilities. 

As the Top-Level Root for ICS and medical devices, CISA is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It's also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.

Establishing CISA as a Top-Level Root consolidates the vast expertise required to effectively assign CVE IDs to ICS and medical device vulnerabilities and enables the rapid identification and resolution of issues specific to those environments. 

“This is consistent with the CVE Program’s federated growth strategy to scale the CVE Program in a sustainable, stakeholder-driven way. The CVE Program is excited to partner with CISA to grow the program to better meet stakeholder needs,” said Chris Levendis, CVE Program Board Member and a principal systems engineer at MITRE. 

As the Nation’s risk advisor, CISA serves the unique role as a trusted information broker across a diverse set of public and private stakeholders. In this role, CISA fosters increased information sharing to help these stakeholders make more informed decisions to better understand and manage risk from cyber and physical threats. 

“Continuing to encourage public and transparent disclosure of industrial control systems and medical device vulnerabilities is a critical mission for CISA,” said Bryan Ware, Assistant Director for Cybersecurity at CISA. “This expansion will encourage more vendors to participate in the CVE program and allow CISA to better support stakeholders as they become more engaged.” 

CISA will be the Top-Level Root CNA for the following Seven CNAs initially: 

1. Alias Robotics S.L.
2. Asea Brown Boveri Ltd.
3. CERT@VDE
4. Johnson Controls
5. Robert Bosch GmbH
6. Siemens
7. Gallagher Group Ltd 

Kent Landfield, a founding CVE Board member said, “The CVE Board is extremely pleased to see CISA step up and provide the capabilities needed to properly address and support the ever expanding ICS and medical control ecosystems. Vulnerabilities are not just in the IT platforms the CVE Program has covered in the past. Vulnerabilities today can potentially affect life and limb. Being able to quickly assign CVEs to these vulnerabilities allows the communities to work together to rapidly mitigate them.”