Today, CISA published a 60-day information collection request notice in the Federal Register (89 FR 14896-14897) for “Actively Exploited Vulnerability Submission Form”. The dedicated form on the CISA website will allow for external reporting of vulnerabilities that the reporting entity believe to be Known Exploited Vulnerabilities (KEV) eligible.
Public Comments
CISA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #CISA-2024-0008) comments should be submitted by April 29th, 2024.
Commentary
There are two things missing from this ICR notice. First is any reference to Binding Operational Directive 22-01 which establishes the purpose of the KEV catalog. Second, and probably more important for public consideration of the ICR for the purposes of comments, is a listing of the criteria that CISA uses to evaluate a vulnerability for consideration of listing in the KEV compatibility.
The more important thing that catches my attention, however,
is that CISA is expecting to receive 2,725 submissions each year for proposed
for listing in the KEV catalog. With only 1082 currently listed (since 2021)
vulnerabilities, CISA looks to be greatly expanding the size of this catalog.
For more details about this ICR notice, see my article at
CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-kev-submission-60
- subscription required.
Posts
No comments:
Post a Comment