The US Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) has taken over responsibility for assigning Common Vulnerability Enumeration (CVE) identifiers for software vulnerabilities in two specific industries — medical devices and industrial control systems — as part of a planned expansion in the number of organizations managing vulnerability information, according to CISA and government contractor MITRE.
CISA, which informs and manages cybersecurity risk for the United States, will become a so-called "root-level CVE Number Authority (CNA)," initially managing seven different organizations: Alias Robotics, ABB, [email protected], Gallagher Group, Johnson Controls, Robert Bosch, and Siemens. Each of the organizations issue CVEs for their own products — or, in the case of [email protected], a German technical organization, for the group's partners in the automation industry — but CISA will oversee the program and expanding membership among those industries.
The addition of CISA marks the first time MITRE has "a peer organization within the program," says Chris Levendis, CVE Program board member and a principal systems engineer at MITRE.
"They will have the same responsibilities as the MITRE CNA," he says. "They are responsible, for example, for recruiting and onboarding new CNAs within their ICS and medical device scope, ensuring retail assignment of CVE IDs within their scope, adjudicating disputes within their scope, [and] participating in program working groups ... They are responsible for ensuring coordinated and responsible vulnerability disclosure within their scope."
Both CISA and MITRE's root-level groups will report to the board managing the CVE prog ..
Support the originator by clicking the read the rest link below.
