[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CNA Rules Revision Process



The CNA Rules are reviewed annually. During this review, the CVE Board and the CNAs have an opportunity to make suggestions about what changes could be made to the Rules. Changes to the CNA Rules can include new rules, rule removal or change, clarifications, or other changes that will improve the CNA program.


The current CNA rules are located here: <http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf>


The current list of Suggested Rules Changes can be found here:




***If you would like to suggest a change to the CNA Rules, add it to the bottom of the list in the Goal/Change/Outcome format used on that page. You can also email your suggestions to me <dadinolfi@mitre.org> and <cve@mitre.org> if you'd prefer. (Note, we plan to use GitHub throughout this process, so if you plan to participate, obtaining a GitHub account would be beneficial.)


We will be following this schedule for the revision process.


First 30 days (July 2017)

  - Open comment period including Board and CNAs.

  - 2 or 3 conference calls will be scheduled for group discussion. Watch for the conference invitations for these calls. (They are currently scheduled for July 11 at 2:30PM ET and July 20 at 10:30AM ET; a third call will be scheduled if necessary.)

  - At the end of this period, no additional suggestions will be included in this revision cycle.


 Next 60 days (August and September 2017)

  - We will work in 1-week sprints with a subset of the proposed revisions discussed during each sprint. Each subset is only to be discussed during that sprint.

  - There will be 8 total sprints (making this part an 8-week process).

  - At the end of a sprint, if something wasn't resolved or discussed, it will not be included in this revision.

  - At the end of all sprints, the document will be finalized and sent to the Board for approval.


The new Rules will take effect on Jan 1, 2018. This will give CNAs three months to implement any changes to their processes that become needed after the CNA Rules are revised.


Please let us know if you have any questions about this process.


Thank you!




Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774





Page Last Updated or Reviewed: July 10, 2017