Security News > 2020 > September > CISA Named Top-Level Root CVE Numbering Authority
The U.S. Cybersecurity and Infrastructure Security Agency has been named a Top-Level Root CVE Numbering Authority and it will be overseeing CNAs that assign CVE identifiers for vulnerabilities in industrial control systems and medical devices.
A Top-Level Root CNA can not only assign CVEs, but it's also tasked with managing CNAs in a specific domain or community.
Specifically, CISA will ensure that CVE identifiers are assigned properly, it will implement rules and guidelines of the CVE Program, it will resolve disputes, and it will recruit new CNAs.
"Establishing CISA as a Top-Level Root consolidates the vast expertise required to effectively assign CVE IDs to ICS and medical device vulnerabilities and enables the rapid identification and resolution of issues specific to those environments," said CISA and MITRE. They added, "As the Nation's risk advisor, CISA serves the unique role as a trusted information broker across a diverse set of public and private stakeholders. In this role, CISA fosters increased information sharing to help these stakeholders make more informed decisions to better understand and manage risk from cyber and physical threats."
CISA and MITRE are the only Top-Level Root CNAs, while Japan's JPCERT/CC is a Root CNA. According to MITRE, there are currently 139 CNAs across 24 countries.