Patrick Pilotte
Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA) unveiled a set of core priorities that will guide the Common Vulnerabilities and Exposures (CVE) Program in the years ahead. The new objectives represent a significant departure from the Program’s focus on growth, to one that drives quality with respect to data, partnerships, administration, and communications.
Below, we provide some background information on the CVE Program, and highlight the key changes in its overall vision. We also provide insight and comment from Devolutions’ Operations Security Specialist.
About the CVE Program
Launched in 1999, the CVE Program — which is funded by CISA and administered by the MITRE Corporation — has evolved into the global standard for identifying, defining, cataloging, and publicly disclosing cybersecurity vulnerabilities.
A major component of the program is an extensive worldwide network of CVE Numbering Authorities (CNAs). These select organizations are sanctioned to assign unique identifiers to newly-discovered vulnerabilities, and publish information about them to the CVE List as an official CVE record.
We are proud to note that in 2021 Devolutions was authorized by the CVE Program as a CNA for our Remote Desktop Manager and Devolutions Server products.
From growth to quality
The last decade has been hailed as the CVE Program’s “growth era,” during which the initiative greatly increased its global impact and influence. This period also saw the number of CNAs surge from dozens to more than 460 at present.
Now, CISA has signaled that the CVE Program’s road ahead will be characterized by a focus on quality. The proposed commitments and hallmarks of the ambitious new “quality era” include:
- Expansion of Community Partnerships: CISA will leverage partnerships to establish better representation of international organizations and governments; academia; vulnerability tool providers; data consumers; security researchers; operational technology; and open-source communities.
- Government Sponsorship: CISA recognizes that the CVE program is a critical public good that requires ongoing investment, while at the same time maintains neutrality to avoid bias (actual or perceived). As such, CISA will focus on evaluating potential mechanisms for diversified funding that meets these expectations and standards.
- Modernization: CISA is committed to accelerating the implementation of technological improvements such as automation to improve CNA services, expand API support to downstream data consumers, and enhance CVE.org.
- Transparency and Communications: CISA will continue to actively solicit and adopt community feedback into the CVE Program, and regularly communicate milestones and metrics to all stakeholders as appropriate.
- Data Quality Improvements: CISA will collaborate with industry and international governments to create a new standardization including federated mechanisms to scale vulnerability data enrichment, and expand the Authorized Data Publisher (ADP) capability.
- Improvements in CNA of Last Resort (LR): CISA will prioritize improvements in transparency, visibility, responsiveness, and data enrichment across all CVE Records. This will occur in conjunction with a focus on promoting CVE Program federation in the form of CNA community growth.
Insight & advice from our security team:
Devolutions has always prioritized mature security and vulnerability management, as demonstrated by achieving SOC 2 Type II and SOC 3 certifications, winning several Global InfoSec Awards, diligently carrying out our responsibilities as a CVE Program CNA, and many other accomplishments and milestones that are documented in our Trust Center.
We are pleased to see that the CVE Program is pledging to improve quality across multiple levels. If this vision is effectively and faithfully carried out in the years to come, then it will further solidify the CVE Program as the standard for transparency, coordination, and effective vulnerability management across the world.
Specifically, we hope to see some major improvements in speed and consistency when it comes to assigning and publishing CVE records. This is especially crucial as more organizations rely on SaaS and cloud environments, where vulnerabilities can have widespread impact. Stronger collaboration between CNAs, vendors, and researchers will also be key to making the CVE Program even more effective for organizations of all sizes, including SMBs that often lack dedicated security resources.
We believe that this proposed evolution of the CVE program is a positive step forward for the entire cybersecurity community. At Devolutions, we remain committed to doing our part as a CNA, and contributing to a safer digital ecosystem for all.
