Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium Businesses
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    CISA Administrative Subpoena
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Signature Verification
    Subpoena Process
Report a Cyber Issue
Breadcrumb
  1. Home
  2. Resources & Tools
  3. Programs
Share:

Resources & Tools

  • All Resources & Tools
  • Services
  • Programs
  • Resources
  • Training
  • Groups

CISA Root Common Vulnerability and Exposures Numbering Authority for Industrial Control Systems

Scope: To support the federation model of the CVE Numbering Authority (CNA) program, the Cybersecurity Infrastructure Security Agency (CISA) will become the Root CNA for industrial control systems (ICS) and medical devices. This function will recruit current and new ICS and medical device vendors to become CVE assignors of CVEs through the existing CISA task area. This function will be supported and coordinated by CISA and the Idaho National Laboratory (INL). While the CNA program is voluntary and cannot be forced to fall under any Root CNA, separating these CNA’s into a functional area will augment the community that surrounds these critical systems. It will provide an opportunity to recruit more vendors to develop stronger vulnerability disclosure programs and to participate more widely and transparently with the disclosure of vulnerabilities impacting ICS and medical devices. The ICS CNA currently managed by CISA and INL will continue to function as such by supporting individual CVE assignments to researchers and non-CNA vendors. It will also continue to support coordination of vulnerability disclosures as a function separate to the ICS Root CNA.

How to Escalate Issues to the Root CNA

Parties who contend that an industrial controls system CNA is not in compliance with the CNA rules (e.g., not responding in a timely manner, refusing to assign a CVE ID to a vulnerability, not populating a CVE record in a timely manner, etc.) may contact CISA (Root CNA for ICS) about the issue. CISA will then evaluate the report and take any necessary actions. See Section 9: Appeals Process for a high-level description of the process.

  • CISA will act as an escalation and adjudication point for issue resolution in the industrial controls scope for its CNAs.
  • CISA will address CVE assignment issues from its CNAs that require escalation.
  • To contact CISA regarding a CVE issue, send a detailed message with your questions, issues, and comments to ics.cna-coordinator@cisa.dhs.gov.
  • CISA will respond with an acknowledgement within 5 days.
  • The CISA board of adjudication will consist of one CISA federal employee and two ICS vulnerability analysts.
  • Adjudication of disputes should be completed within 10 days.
  • Disputes will be clearly documented in the CVE Entry if a CVE ID is assigned as the result of an escalated issue.

For more information about CNA rules, please see https://cve.mitre.org/cve/cna/rules.html.

How to Become a CNA

A vendor, company, or entity that has a public disclosure policy and a public point of contact for new vulnerability disclosures can become a CNA. In most cases, this will also indicate the company has a responsive security group and a proactive corporate security mindset. CNAs agree to the CVE Terms of Use. Organizations are welcome to approach the CISA ICS Root CNA to request consideration as a CNA.
Potential CNAs will need to provide the following information to the Root CNA:

  • Point of contact
  • Scope definition of vulnerabilities addressed
  • Disclosure policy and location of public posting of the policy
  • Vulnerability advisory public postings location

Training for new CNAs

Mitre has released an excellent set of videos that tell about the CVE assignment process. Potential new CNAs should first become familiar with these videos and other resources available on the Mitre CVE website. CISA will set up an onboarding meeting with the new CNA to explain concepts further and to answer any questions or concerns.
After the onboarding meeting, we can schedule further (formal or informal) meetings as needed to help you grow into your role as a CNA.

RBP Policy

If the percentage of Reserved but Public (RBP) IDs is greater than 5 percent of the CVE IDs made public by a CNA in the past 12 months, the CNA must populate some of the RBP entries before they receive new CVE IDs. If a CNA populates enough RBP entries to fall below the 5 percent threshold, they may receive a full block of new CVE IDs. During the time that the CNA is above the 5 percent threshold, they may only receive a new reserved CVE ID for each RBP ID they populate.

Terminology

  • Reserved IDs are CVE IDs given to a CNA for assignment that have not yet had the vulnerability details populated in the CVE List.
  • Reserved but Public (RBP) IDs are CVE IDs used in a public reference (i.e., in an advisory), but the entry has not yet been populated.
  • Populated IDs are reserved CVE IDs that have been populated with vulnerability details on the CVE List.

Inactive CNA Policy

Inactive CNAs may be problematic for the CVE Program because adoption and coverage may not be achieved within a scope even though such a scope is assigned to a CNA. However, inactive CNAs may be inactive for legitimate reasons, such as when no new vulnerabilities are identified within a scope and, once identified, normal assignment and population activities are resumed. There are also illegitimate reasons for CNA inactivity, such as when the CNA is no longer interested, properly resourced, or competent to participate in the CVE Program as a CNA. CNAs that are inactive for legitimate reasons may continue to participate in the CVE Program. CNAs that are inactive for illegitimate reasons may not continue to participate in the CVE Program unless the reasons for inactivity are satisfactorily remediated.

Inactive CNAs are identified as those who over the preceding six-month period have not assigned or populated CVEs within a scope and have not participated in various working groups and discussions to advance CVE Program objectives. Inactive CNAs must be identified so that 1) the reason(s) for inactivity are determined, and 2) appropriate next steps are taken.

  • Industry
  • Cyber Threats and Advisories
  • Incident Detection, Response, and Prevention
  • Information Sharing
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback