Thursday, February 29, 2024

Review - CISA Publishes KEV Submission 60-day ICR Notice

Today, CISA published a 60-day information collection request notice in the Federal Register (89 FR 14896-14897) for “Actively Exploited Vulnerability Submission Form”. The dedicated form on the CISA website will allow for external reporting of vulnerabilities that the reporting entity believe to be Known Exploited Vulnerabilities (KEV) eligible.

Public Comments

CISA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (; Docket #CISA-2024-0008) comments should be submitted by April 29th, 2024.


There are two things missing from this ICR notice. First is any reference to Binding Operational Directive 22-01 which establishes the purpose of the KEV catalog. Second, and probably more important for public consideration of the ICR for the purposes of comments, is a listing of the criteria that CISA uses to evaluate a vulnerability for consideration of listing in the KEV compatibility.

The more important thing that catches my attention, however, is that CISA is expecting to receive 2,725 submissions each year for proposed for listing in the KEV catalog. With only 1082 currently listed (since 2021) vulnerabilities, CISA looks to be greatly expanding the size of this catalog.


For more details about this ICR notice, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */