|
09:35-10:55: Review of Action items (see attached excel file) See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 9Jun21– Agenda and Action items) § Update on STIX Authoritative Object – Chris Levendis oCan the CVE Program come up with its own messaging for STIX? STIX is present in the Vulnerability Management space, and the messaging would be a feed that would be available to the public. The messaging would be authorized by the CVE Program and for use by CNAs. This would benefit the community CVE program, as we are authoritative source for the community. The STIX Working group can help with coding for this effort, since the CVE Services is a priority for the AWG until later this year. oKris explained adding more requirements will delay the roll out of CVE Services in the Fall 2021. oThe Board agreed messaging for authoritative objects for STIX is worth looking into. § Update on Trademark Application – Chris Levendis oThe CVE Trademark application is moving through the process and is now in the review status. The final review and approval is expected to occur within 90 days. oIn the June 7 meeting, the AWG made a deployment recommendation to the SPWG regarding CVE Services 1.1.0. §Largely backwards compatible with CVE Services 1.0.1 §Implements new functions/endpoints that will be available to the CNA community (Initial User Registry functions) §Implements "private" functions/endpoints that will be available only to the Secretariat to advance the Record Submission and Upload (RSUS) functional development oThe SPWG agreed verbally with the AWG recommendation to deploy CVE Services 1.1.0 o oThe CNA Community will be informed today of the deployment scheduled, second message will be sent informing of any outages during this time and will be posted on the CVE Website. Additional messages will be sent out regarding when the systems will be up and down. oConcerns about a lack of communications plans for the CVE Services to the CNA Community were expressed. For example, IDR has been deployed for 6 months and only 40% of CNAs have requested IDR credentials and CNAs have a choice (sign up for IDR or CVE Webform) when they join the CNA program and can still reserve CVE IDs blocks. oKent recommended to the Board to develop a policy that new CNAs must use IDR and no longer allow blocks of CVE ID reservations. Discussion points: §Functionality to the CVE Website needs to be in place before a policy can be enforced; in the meantime, only allow CNAs to reserve a quarter's worth of IDs. §AWG has the action to develop instructional materials for IDR. The resources to develop these materials needs to be understood. §Have a CNA, like RedHat, record a Webinar to help explain setting up the IDR client. The Webinar would be available to on the CVE YouTube channel. oMITRE Top-Level Root provided a status update: INCIBE is on schedule to be a Root by the end of June §CNA: Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level. Vulnerabilities reported to INCIBE by Spanish organizations and researchers that are not in another CNA´s scope §INCIBE press release is drafted and reviewed by OCWG and Kent L. provided a quote. §CVE Program INCIBE Press release drafted and being reviewed by OCWG (Content Sub-Working Group) §The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat (). |