CISA Root Common Vulnerability and Exposures Numbering Authority for Industrial Control Systems

Scope: To support the federation model of the CVE Numbering Authority (CNA) program, the Cybersecurity Infrastructure Security Agency (CISA) will become the Root CNA for industrial control systems (ICS) and medical devices. This function will recruit current and new ICS and medical device vendors to become CVE assignors of CVEs through the existing CISA task area. This function will be supported and coordinated by CISA and the Idaho National Laboratory (INL). While the CNA program is voluntary and cannot be forced to fall under any Root CNA, separating these CNA’s into a functional area will augment the community that surrounds these critical systems. It will provide an opportunity to recruit more vendors to develop stronger vulnerability disclosure programs and to participate more widely and transparently with the disclosure of vulnerabilities impacting ICS and medical devices. The ICS CNA currently managed by CISA and INL will continue to function as such by supporting individual CVE assignments to researchers and non-CNA vendors. It will also continue to support coordination of vulnerability disclosures as a function separate to the ICS Root CNA.

How to Escalate Issues to the Root CNA

Parties who contend that an industrial controls system CNA is not in compliance with the CNA rules (e.g., not responding in a timely manner, refusing to assign a CVE ID to a vulnerability, not populating a CVE record in a timely manner, etc.) may contact CISA (Root CNA for ICS) about the issue. CISA will then evaluate the report and take any necessary actions. See Section 9: Appeals Process for a high-level description of the process.

• CISA will act as an escalation and adjudication point for issue resolution in the industrial controls scope for its CNAs.
• CISA will address CVE assignment issues from its CNAs that require escalation.
• To contact CISA regarding a CVE issue, send a detailed message with your questions, issues, and comments to ics.cna-coordinator@cisa.dhs.gov.
• CISA will respond with an acknowledgement within 5 days.
• The CISA board of adjudication will consist of one CISA federal employee and two ICS vulnerability analysts.
• Adjudication of disputes should be completed within 10 days.
• Disputes will be clearly documented in the CVE Entry if a CVE ID is assigned as the result of an escalated issue.

For more information about CNA rules, please see https://cve.mitre.org/cve/cna/rules.html.

How to Become a CNA

A vendor, company, or entity that has a public disclosure policy and a public point of contact for new vulnerability disclosures can become a CNA. In most cases, this will also indicate the company has a responsive security group and a proactive corporate security mindset. CNAs agree to the CVE Terms of Use. Organizations are welcome to approach the CISA ICS Root CNA to request consideration as a CNA.
Potential CNAs will need to provide the following information to the Root CNA:

• Point of contact
• Scope definition of vulnerabilities addressed
• Disclosure policy and location of public posting of the policy
• Vulnerability advisory public postings location

Training for new CNAs

Mitre has released an excellent set of videos that tell about the CVE assignment process. Potential new CNAs should first become familiar with these videos and other resources available on the Mitre CVE website. CISA will set up an onboarding meeting with the new CNA to explain concepts further and to answer any questions or concerns.
After the onboarding meeting, we can schedule further (formal or informal) meetings as needed to help you grow into your role as a CNA.

RBP Policy

If the percentage of Reserved but Public (RBP) IDs is greater than 5 percent of the CVE IDs made public by a CNA in the past 12 months, the CNA must populate some of the RBP entries before they receive new CVE IDs. If a CNA populates enough RBP entries to fall below the 5 percent threshold, they may receive a full block of new CVE IDs. During the time that the CNA is above the 5 percent threshold, they may only receive a new reserved CVE ID for each RBP ID they populate.

Terminology

• Reserved IDs are CVE IDs given to a CNA for assignment that have not yet had the vulnerability details populated in the CVE List.
• Reserved but Public (RBP) IDs are CVE IDs used in a public reference (i.e., in an advisory), but the entry has not yet been populated.
• Populated IDs are reserved CVE IDs that have been populated with vulnerability details on the CVE List.

Inactive CNA Policy

Inactive CNAs may be problematic for the CVE Program because adoption and coverage may not be achieved within a scope even though such a scope is assigned to a CNA. However, inactive CNAs may be inactive for legitimate reasons, such as when no new vulnerabilities are identified within a scope and, once identified, normal assignment and population activities are resumed. There are also illegitimate reasons for CNA inactivity, such as when the CNA is no longer interested, properly resourced, or competent to participate in the CVE Program as a CNA. CNAs that are inactive for legitimate reasons may continue to participate in the CVE Program. CNAs that are inactive for illegitimate reasons may not continue to participate in the CVE Program unless the reasons for inactivity are satisfactorily remediated.

Inactive CNAs are identified as those who over the preceding six-month period have not assigned or populated CVEs within a scope and have not participated in various working groups and discussions to advance CVE Program objectives. Inactive CNAs must be identified so that 1) the reason(s) for inactivity are determined, and 2) appropriate next steps are taken.