Host Shannon Sabens of CrowdStrike chats with Julia Turkevich of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the myths and facts of partnering with the CVE Program as a CVE Numbering Authority (CNA).
Truth and facts about the following myths are discussed:
Myth #1: Only a specific category of software vendors can become CNAs.
Myth #2: Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.
Myth #3: The requirements for becoming a CNA are overwhelming and extensive.
Myth #4: A fee is required to become a CNA.
Myth #5: The CNA onboarding process is too complicated and time-consuming.
Myth #6: Organizations cannot choose the Top-Level Root or Root they want to work with.
The purpose and overall structure of the CVE Program and CISA's role in recruiting and managing CNAs within its Top-Level Root scope of industrial control system (ICS) and operation technology (OT) are also discussed.
LINKS: