Kent, Thanks for the update. Question, how long will access to the CVE database be disabled?
Pete On Wed, May 29, 2024 at 9:13 PM Kent Landfield <bitwatc...@gmail.com> wrote: > On the May 29th Board call, the CISA ADP pilot was discussed. Background > information provided during the call allowed the Board to authorize the > Strategic Planning Working Group (SPWG) to decide on the status of > transitioning the pilot to a > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > This message originates outside of MITRE. If you feel this is suspicious, > please report it via "Report Suspicious Email" button in Outlook. > > ZjQcmQRYFpfptBannerEnd > > On the May 29th Board call, the CISA ADP pilot was discussed. Background > information provided during the call allowed the Board to authorize the > Strategic Planning Working Group (SPWG) to decide on the status of > transitioning the pilot to a production capability for the CVE program. The > SPWG met later that afternoon to finalize this decision. > > > In a previous discussion, the SPWG had questions about the performance and > impact on CVE services, which needed validation before deciding. Kris > Britton and MITRE worked with CISA staff to ensure that CISA ADP updates > would not adversely affect CVE operations. It was confirmed during both the > Board and SPWG calls that there were no performance issues. From the > Secretariat’s perspective, the CISA ADP pilot is ready to transition to the > production database. > > There was also a discussion on how CISA updates would handle Vulnrichment > data if the original CNA later updated the record with missing information. > The outcome is as follows: > > > *A Note About Updated CVE Entries:* > > *Since the CISA ADP is committed to encouraging CNAs to “Do The Right > Thing” and provide their own CWE, CVSS, and CPE metrics, if a CVE entry is > updated to include those metrics after the CISA ADP has made their > assessment, the CISA ADP will drop/remove its own assessments from the CVE > entry. This approach will reduce duplicate (and conflicting) data within > the CVE record. In the rare event that there is a CWE, CVSS, or CPE string > provided by the originating CNA and the CISA ADP, this should be treated as > an error in the CISA ADP container -- the originating CNA's data should > take precedence for any decision making. * > > *In this case, SSCV and KEV data will still be included.* > > The SSVC is for every record, KEV is for CVEs with exploits or POCs > available, and Vulnrichment updates are for CVEs that meet specific threat > characteristics. Future changes in CISA processing may address discovered > issues. CISA expects to be able to have the capability to update all past > records. However, the determination to do so will be on a case-by-case > basis. > > *Decision of the SPWG:* *The SPWG decided to move forward with making the > CISA ADP pilot a production capability. * > > > Eighteen attendees participated in the SPWG call. > > > The flow of the transition to production is as follows: > > 1. The Secretariat staff will halt global access to the CVE database. > 2. A snapshot of the CVE data will be taken to ensure rollback > capabilities if needed. > 3. Access to the CVE database will be enabled only for CISA using IP > filtering. > 4. CISA will update the CVE data with SSVC, KEV, and the existing > 7000+ Vulnrichment records. > 5. When completed, CISA and the Secretariat staff will perform a > cursory examination to ensure proper updates. > 6. Once verified, IP filtering will be removed, and CVE Services will > be enabled for all. > > > CISA and MITRE will have a preparation call to ensure readiness, covering > credentialing, IP filtering, and execution schedules. Kris Britton is > scheduling this call for Thursday. > > > The transition from pilot to production will occur on Tuesday, June 4th, > with corresponding updates on the CVE.org website posted that day as well. > > This is a major milestone for the CVE program. Congratulations to all > that made this capability possible. > > > Kent Landfield > > Chair, CVE SPWG > > >
