CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.


CVE Program Partners with Cybersecurity & Infrastructure Security Agency to Protect Industrial Control Systems and Medical Devices

Share or comment Medium Twitter LinkedIn

This article is based upon a news release by the CVE Program and Cybersecurity and Infrastructure Security Agency.

The CVE Program announced it is expanding its partnership with Cybersecurity and Infrastructure Security Agency(CISA) for managing the assignment of CVE Identifiers (IDs) for the CVE Program.

CISA is now designated a Top-Level Root CVE Numbering Authority for industrial control systems (ICS) and medical device vendors participating as CVE Numbering Authorities (CNAs). CNAs are organizations authorized to assign CVE IDs for vulnerabilities affecting products within a distinct scope. A Top-Level Root CNA, such as CISA, manages a group of CNAs within a given domain or community and may assign CVE IDs to vulnerabilities.

As the Top-Level Root for ICS and medical devices, CISA is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.

Establishing CISA as a Top-Level Root consolidates the vast expertise required to effectively assign CVE IDs to ICS and medical device vulnerabilities. This designation as a Top-Level Root enables the rapid identification and resolution of issues specific to those environments. “This is consistent with the CVE Program’s federated growth strategy to scale the CVE Program in a sustainable, stakeholder driven way. The CVE Program is excited to partner with CISA to grow the program to better meet stakeholder needs,” said Chris Levendis, CVE Program Board Member and a principal systems engineer at MITRE.

CISA serves a unique role as a trusted information broker across a diverse set of public and private stakeholders. In this role, CISA fosters increased information sharing to help these stakeholders make more informed decisions to better understand and manage risk from cyber and physical threats.

“Continuing to encourage public and transparent disclosure of industrial control systems and medical device vulnerabilities is a critical mission for CISA. This expansion will encourage more vendors to participate in the CVE Program and allow CISA to better support stakeholders as they become more engaged,” said Bryan Ware, Assistant Director for Cybersecurity, CISA.

CISA ICS will be the Top-Level Root CNA for the following seven CNAs initially:

  1. Alias Robotics S.L.
  2. ABB
  3. CERT@VDE
  4. Gallagher Group Ltd
  5. Johnson Controls
  6. Robert Bosch GmbH
  7. Siemens

“The CVE Board is extremely pleased to see CISA step up and provide the capabilities needed to properly address and support the ever expanding ICS and medical control ecosystems. Vulnerabilities are not just in the IT platforms the CVE Program has covered in the past. Vulnerabilities today can potentially affect life and limb. Being able to quickly assign CVEs to these vulnerabilities allows the communities to work together to rapidly mitigate them,” said Kent Landfield, a founding CVE Board Member.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!

- The CVE Program
  September 15, 2020
  CVE Request Web Form
(select “Other” from dropdown)


Recent Posts

Page Last Updated or Reviewed: November 03, 2020