We Speak CVE

Becoming A CNA—Myths versus Facts

June 21, 2023 CVE Program Episode 19
We Speak CVE
Becoming A CNA—Myths versus Facts
Show Notes

Host Shannon Sabens of CrowdStrike chats with Julia Turkevich of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the myths and facts of partnering with the CVE Program as a CVE Numbering Authority (CNA).

Truth and facts about the following myths are discussed:

Myth #1:  Only a specific category of software vendors can become CNAs.
Myth #2:  Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.
Myth #3:  The requirements for becoming a CNA are overwhelming and extensive.
Myth #4:  A fee is required to become a CNA.
Myth #5:  The CNA onboarding process is too complicated and time-consuming.
Myth #6:  Organizations cannot choose the Top-Level Root or Root they want to work with.

The purpose and overall structure of the CVE Program and CISA's role in recruiting and managing CNAs within its Top-Level Root scope of industrial control system (ICS) and operation technology (OT) are also discussed.