We Speak CVE

Becoming A CNA—Myths versus Facts

CVE Program Episode 19
Audio Player
00:00
00:00 | 22:25

Host Shannon Sabens of CrowdStrike chats with Julia Turkevich of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the myths and facts of partnering with the CVE Program as a CVE Numbering Authority (CNA).

Truth and facts about the following myths are discussed:

Myth #1:  Only a specific category of software vendors can become CNAs.
Myth #2:  Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.
Myth #3:  The requirements for becoming a CNA are overwhelming and extensive.
Myth #4:  A fee is required to become a CNA.
Myth #5:  The CNA onboarding process is too complicated and time-consuming.
Myth #6:  Organizations cannot choose the Top-Level Root or Root they want to work with.

The purpose and overall structure of the CVE Program and CISA's role in recruiting and managing CNAs within its Top-Level Root scope of industrial control system (ICS) and operation technology (OT) are also discussed.

LINKS: