Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a new information collection request (ICR) from CISA on “CISA Coordinated Vulnerability Disclosure (CVD) Platform”. The 60-day ICR notice was published on October 30th, 2024. The 30-day ICR notice was published on August 20th, 2025.
The Supporting Document CISA submitted to OIRA as part of this ICR approval process noted that:
“CISA is also authorized to carry out these Coordinated Vulnerability Disclosure (CVD) functions by 6 U.S.C. 659(n) on Coordinated Vulnerability Disclosure, which authorizes CISA to in coordination with industry and other stakeholders, may develop and adhere to DHS policies and procedures for coordinating vulnerability disclosures.”
It also notes that:
“The intent of this form is to allow the public to provide information for exploited vulnerabilities that are not in the CISA Coordinated Vulnerability Disclosure (CVD) system. The submitted information will be evaluated by CISA and if CVD requirements are met, then the vulnerability would be CVD eligible. By expanding CVD, those who are required, and those who utilize the CVD system, are alerted to new additions. This allows for greater knowledge and visibility of exploited vulnerabilities and allows for enhanced vulnerability management.”
The table below shows the approved burden estimate for the ICR.
This ICR approves the use of two online information collections:
VINCE.pdf, and
CERT Vulnerability Notes Database.pdf
Posts
No comments:
Post a Comment