CVE Program Partners with Cybersecurity & Infrastructure Security Agency to Protect Industrial Control Systems and Medical Devices

CISA takes new role in assigning and monitoring CVE IDs

McLean, Va., September 15, 2020—The Common Vulnerabilities and Exposures (CVE®) Program announced today it is expanding its partnership with Cybersecurity and Infrastructure Security Agency (CISA) for managing the assignment of CVE Identifiers (IDs) for the CVE Program.

CISA is now designated a Top-Level Root CVE Numbering Authority for industrial control systems (ICS) and medical device vendors participating as CVE Numbering Authorities (CNAs). CNAs are organizations authorized to assign CVE IDs for vulnerabilities affecting products within a distinct scope. A Top-Level Root CNA, such as CISA, manages a group of CNAs within a given domain or community and may assign CVE IDs to vulnerabilities.

As the Top-Level Root for ICS and medical devices, CISA is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.

Establishing CISA as a Top-Level Root consolidates the vast expertise required to effectively assign CVE IDs to ICS and medical device vulnerabilities. This designation as a Top-Level Root enables the rapid identification and resolution of issues specific to those environments.

“This is consistent with the CVE Program’s federated growth strategy to scale the CVE Program in a sustainable, stakeholder driven way. The CVE Program is excited to partner with CISA to grow the program to better meet stakeholder needs,” said Chris Levendis, CVE Program board member and a principal systems engineer at MITRE.

As the nation’s risk advisor, CISA serves the unique role as a trusted information broker across a diverse set of public and private stakeholders. In this role, CISA fosters increased information sharing to help these stakeholders make more informed decisions to better understand and manage risk from cyber and physical threats.

“Continuing to encourage public and transparent disclosure of industrial control systems and medical device vulnerabilities is a critical mission for CISA,” said Bryan Ware, assistant director for cybersecurity, CISA. “This expansion will encourage more vendors to participate in the CVE Program and allow CISA to better support stakeholders as they become more engaged.”

CISA will be the Top-Level Root CNA for the following seven CNAs initially:

  1. Alias Robotics S.L.
  2. ABB
  4. Gallagher Group Ltd
  5. Johnson Controls
  6. Robert Bosch GmbH
  7. Siemens

“The CVE Board is extremely pleased to see CISA step up and provide the capabilities needed to properly address and support the ever-expanding ICS and medical control ecosystems. Vulnerabilities are not just in the IT platforms the CVE Program has covered in the past. Vulnerabilities today can potentially affect life and limb. Being able to quickly assign CVEs to these vulnerabilities allows the communities to work together to rapidly mitigate them,” said Kent Landfield, a founding CVE board member.

About the CVE Program

Common Vulnerabilities and Exposures (CVE®) is an international, community-based effort that maintains a community-driven, open data registry of vulnerabilities. The CVE IDs assigned through the registry enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks. The CVE Program currently has 137 CNAs in 24 countries, globally across technologies and services.


Jennifer Lang, MITRE

Page Last Updated or Reviewed: September 15, 2020