On the May 29th Board call, the CISA ADP pilot was discussed. Background information provided during the call allowed the Board to authorize the Strategic Planning Working Group (SPWG) to decide on the status of transitioning the pilot to a production capability for the CVE program. The SPWG met later that afternoon to finalize this decision.
In a previous discussion, the SPWG had questions about the performance and impact on CVE services, which needed validation before deciding. Kris Britton and MITRE worked with CISA staff to ensure that CISA ADP updates would not adversely affect CVE operations. It was confirmed during both the Board and SPWG calls that there were no performance issues. From the Secretariat’s perspective, the CISA ADP pilot is ready to transition to the production database. There was also a discussion on how CISA updates would handle Vulnrichment data if the original CNA later updated the record with missing information. The outcome is as follows: *A Note About Updated CVE Entries:* *Since the CISA ADP is committed to encouraging CNAs to “Do The Right Thing” and provide their own CWE, CVSS, and CPE metrics, if a CVE entry is updated to include those metrics after the CISA ADP has made their assessment, the CISA ADP will drop/remove its own assessments from the CVE entry. This approach will reduce duplicate (and conflicting) data within the CVE record. In the rare event that there is a CWE, CVSS, or CPE string provided by the originating CNA and the CISA ADP, this should be treated as an error in the CISA ADP container -- the originating CNA's data should take precedence for any decision making. * *In this case, SSCV and KEV data will still be included.* The SSVC is for every record, KEV is for CVEs with exploits or POCs available, and Vulnrichment updates are for CVEs that meet specific threat characteristics. Future changes in CISA processing may address discovered issues. CISA expects to be able to have the capability to update all past records. However, the determination to do so will be on a case-by-case basis. *Decision of the SPWG:* *The SPWG decided to move forward with making the CISA ADP pilot a production capability. * Eighteen attendees participated in the SPWG call. The flow of the transition to production is as follows: 1. The Secretariat staff will halt global access to the CVE database. 2. A snapshot of the CVE data will be taken to ensure rollback capabilities if needed. 3. Access to the CVE database will be enabled only for CISA using IP filtering. 4. CISA will update the CVE data with SSVC, KEV, and the existing 7000+ Vulnrichment records. 5. When completed, CISA and the Secretariat staff will perform a cursory examination to ensure proper updates. 6. Once verified, IP filtering will be removed, and CVE Services will be enabled for all. CISA and MITRE will have a preparation call to ensure readiness, covering credentialing, IP filtering, and execution schedules. Kris Britton is scheduling this call for Thursday. The transition from pilot to production will occur on Tuesday, June 4th, with corresponding updates on the CVE.org website posted that day as well. This is a major milestone for the CVE program. Congratulations to all that made this capability possible. Kent Landfield Chair, CVE SPWG
