10:35-10:55: Review of Action items (see attached excel file)
See attached Excel spreadsheet (CVE Board Meeting 2Dec20 – Agenda and Action items)
- CISA went live as a Top-Level Root CNA on September 15, but the timeline for creating the CISA ICS Root started on September 9 when CISA briefed all the potential candidates about their plan to become a Root CNA. At that time, 7 organizations joined CISA ICS Root: Alias Robotics, ABB, Gallagher Group, Siemens, Robert Bosch, CERT VDE, and Johnsons Controls.
- Since September 15, two onboarding sessions have been conducted. Twelve additional organizations have been identified to recruit. CISA has held two recruitment calls, which went well; however, due to some personnel changes with the prospects, it will take time to build a relationship before an actual onboarding process can begin.
- CISA ICS Root is in the process of developing internal repeatable processes for the recruitment of CNAs. The processes include:
- Developing a readiness index for assessing organizations who may be approached to become CNAs. This index will evaluate several factors that qualify or disqualify a candidate.
- Partnering with our CISA Industry outreach team to identify relationships and build any gaps in contacting organizations.
- Developing templates to streamline electronic communication that is trackable
- Creating an agenda for virtual introductions and eventual recruitment meetings
- Other initiatives underway include developing a plan to target potential CNAs and market the CVE Program though brief presentations at specialized monthly Information Sharing and Analysis Center (ISAC) meetings. In addition, CISA ICS is working with External Affairs to develop a plan for announcing newly onboarded CNAs and finalizing a briefing to be recorded on how to become a Root CNA that could potentially be translated into other languages.
CVE Logo Usage (Shannon Sabens, OCWG Co-Chair):
- The OCWG presented the new CVE logo rollout plan to the CVE Board. The new CVE logo is still pending trademark; however, according to the MITRE legal team, there is minimal risk with using the logo now. The OCWG proposed the old CVE Website, the new CVE Website for the April 1 launch, any new materials from this point forward, existing material that will be carried over to the new website, and all existing communications channels (Twitter, Linked-In, Medium, You-Tube, etc.) be updated with the new CVE logo.
- The group agreed that on December 1, the new CVE logo will be rolled out as proposed by the OCWG.
CVE Board Schedule and alternating times:
- The group discussed having the CVE Board meeting at alternating times to allow for more participation and ultimately decided that beginning with the first meeting in January 2021 (January 6), the meeting time will alternate between 9:00 am-11:00 am (EST) and 2:00 pm-4:00 pm (EST).
Meeting Schedule:
Working Group Updates:
OCWG:
§The OCWG has blog posts lined up through March 2021 but are always looking for more volunteers for blogs. The first podcast recording is schedule for the first week in December and the topic will be about "the difference between NIST NVD, CISA, and MITRE and how they work together" and representatives from each organization will be on the podcast.
CNACWG:
§Working on the next virtual event, a readout (3 hours) of the Working Group updates, which will be scheduled in January 2021. A Doodle Poll will be sent to the CNA discussion list to find the best time.
§Also, they are in the process of reviewing the CNA onboarding materials for any needed updates related to CVE terminology changes. Enrique Gonzalez from ZDI has offered to translate the CNA Onboarding slides into Spanish.
§CNACWG Chair elections are underway and should be wrapped up at the November 18 CNACWG Meeting. There has been one nomination: Tod Beardsley.
§The Secretariat will be sending out nominations for the CNA Liaison position on the CVE Board; nominations will be excepted through December 4.
AWG:
§ Result of Community Testing: Secretariat has completed End User Testing (and light penetration testing) and is in the process of Performance Testing. IDR is available for penetration testing by the community as of November 16. The AWG/Secretariat has an action to notify the CNA community of the opportunity to perform penetration testing. The goal for completing community IDR penetration testing is December 8. There was a concern that not enough community testing could be completed by December 8; however, there was no consensus to extend that date. At the December 16 CVE Board meeting, the board will consider the results of community penetration testing effort and determine the impact on the IDR deployment schedule.
§ Rollout Plan : The group adopted the soft roll out of IDR proposed by the AWG. Listed below is the AWG proposal:
–Credentials will be released to CNAs in a phased approach over the course of weeks
–Block requests will be honored, but we would encourage CNAs to minimize their block requests to what they would need for a quarter (i.e., 1QT CY2021)
–Starting in April 2021, we would heavily encourage use of the IDR
SPWG:
§There are multiple projects underway:
§The Working Group Operations guide is underway, and a draft is expected to be ready by the end of November.
§The Root CNA Onboarding artifacts will be presented in early December. This presentation will allow the SPWG to understand the onboarding process developed so far, based on two use cases.
§CNA unresponsive policy is drafted and now with the SPWG. Although the document has a narrow focus of identifying CNA response times to requests from their Root CNA, there are other CNA response times that will need to be identified and discussed.
§The CNA Rules revisions updates will include updating the document with new verbiage (e.g., CVE Terminology ), EOL inconsistencies, duplications, tagging, and some rules are being updated for clarification. Some of the rules will be dependent on the automation of the services.
§Low to moderate vulnerabilities and how they should be dealt with moving forward: Microsoft has presented their process (implemented in 2018) for handling low to moderate vulnerabilities and is not the only CNA using this approach. Metrics are being gathered to understand the volume of this problem. This discussion is ongoing.
- The CVE Board meeting recordings archives are in transition to a new platform. Once the new platform is ready, the board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().