CVE Board Meeting – 1 April 2020
Members of CVE Board in Attendance
Tod
Beardsley,
Rapid7
Patrick Emsweller,
Cisco Systems,
Inc.
Kent Landfield,
McAfee
Scott Moore,
IBM
Lisa Olson,
Microsoft
Shannon Sabens,
Trend
Micro
Kathleen Noble,
Intel
Takayuki Uchiyama,
Panasonic
Corporation
David Waltermire,
National
Institute of Standards and Technology (NIST)
Ken Williams,
Broadcom
Inc.
Members of MITRE CVE Team in Attendance
Jo Bazar
Christine Deal
Jonathan Evans
Chris Levendis
Lew Loren
2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 3:00: Working Groups
-
Outreach
and Communications Working Group (OCWG): Shannon
Sabens
-
CNA
Coordination Working Group (CNACWG):
Tod Beardsley
-
Quality
Working Group (QWG):
Jonathan Evans/Dave Waltermire
-
Automation
Working Group (AWG): Lew Loren
-
Strategic
Planning Working Group
(SPWG): Kent Landfield
3:00
– 2:45: Root CNA Update
-
MITRE:
Jo Bazar
-
JPCERT:
Jonathan Evans
-
Root
CNA Prospects – Jonathan Evans/Jo Bazar
2:45
– 3:55: Open Discussion
3:55
– 4:00: Action items, wrap-up
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
1.23.1
|
Assemble
additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).
|
MITRE
(Evans)
|
Completed
|
MITRE
assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:
-
How to submit entries to MITRE
using the web form (CNA Submission process)
-
CVE ID assignment rule (Counting)
– DRAFT sent for inputs to CNACWG and OCWG
-
Becoming a CNA – DRAFT sent for
inputs to CNACWG and OCWG
-
CVE Program (includes Root structure)
-
How to request MITRE CNA populate
a CVE entry (CNA Process)
-
How to create a CVE Entry (CNA
Entry creation)
1/8
Update: Draft videos are uploaded to YouTube and CNACWG and OCWG will provide feedback NLT January 17.
2/5
Update: Feedback received from CNCWG and OCWG.
2/19
Update: Videos will be available on YouTube by April 1, 2020.
4/1
Update: CNA Onboarding videos posted to CVE website.
|
10.30.02
|
Update
RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.
|
MITRE
(Jonathan E./Jo B.)
|
In
Process
|
11/13
Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for awareness.
4/1
Update: Policy approved by Chris L, in process of updating CVE Website.
|
02.19.01
|
Identify
the industries for active and pipeline CNAs so get a complete picture of the CNA profile.
|
OCWG
|
In
Process
|
Assigned
2/19/2020.
|
02.19.04
|
Develop
strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).
|
SPWG
|
Not
Started
|
Assigned
2/19/2020.
|
3.18.02
|
QWG
develop a definition for the EOL tagging for presentation to the CVE Board. Once defined, the next step is to document the entire process.
|
Lisa
Olson/Jonathan E. (MITRE)
|
Not
started
|
Assigned
3/18/20.
|
3.18.03
|
Send
action items from CVE Global Summit for review/input. Once reviewed, add the action items to the CVE Board meeting minutes.
|
Jo
B. (MITRE)
|
In
Process
|
4/1
Update: Sent CVE Global Summit action items for review to CVE Board on 3/26; feedback due by 3/31/2020.
|
3.18.04
|
Develop
write up to send to the CNAs via the CNA mailing list to get their feedback on JSON 5.0 90-day transition.
|
Lew
L. (MITRE)
|
In
Process
|
4/1
Update: Lew sent email on 3/30 to CNA Mailing list.
|
-
Outreach and Communications Working Group (OCWG): Shannon
Sabens
-
OCWG meeting held on March 27, 2020:
-
CVE Logo roll-out plan:
Shannon sent an email to CNAs about CVE logo usage. There are two CNAs using the CVE logo; one is using it internally, and the other is using it on their website.
-
Chris provided an update on the trademark CVE logo; the trademark is expected to be completed within 3 to 4 weeks. Legal is working on the trademarking.
-
CNA Newsletter: The
OCWG is developing a newsletter that is focused on issues/topics of interest to CNAs. The first newsletter is scheduled to be published on June 15. The group also talked about adding a blog on the new website that only CNAs can access.
-
CNA Welcome kit:
The OCWG discussed a kit for incoming CNAs that provides what is going on in the program, WG updates, how to join a WG, etc. The CNA newsletter could be used to fulfill this request.
-
CNA Active and Pipeline:
The group was tasked with identifying prospective CNAs by region, sector, and industry.
-
Chris explained that focusing on Energy and Communications should be a priority.
-
Shannon explained that getting one of the leaders in a sector is key to getting others in the sector to join the CNA Program (e.g., Tesla)
-
Chris explained the priority will be based on the types of leads. If we have a great lead in the water sector and a not so great lead in the energy sector,
we will follow the better lead.
-
The goal of the federated strategy, for the voluntary participants in those sectors, is to mobilize them as they enter the CNA Program and empower them
to advocate for the program.
-
Shannon explained some of the leads will be organic, as she has contacts in automotive, finance, and energy that she will be reaching out to.
§
CNA Coordination Working Group (CNACWG): Tod Beardsley
-
CNACWG meeting held on March 25, 2020:
o
Kicked off a survey for new meeting times for new globalized federated program. Survey results are being collected.
o
Documented a CVE ID transfer process from one CNA to another.
o
Quality Working Group (QWG): Dave Waltermire/Jonathan Evans
-
QWG meeting held on March 19, 2020:
-
Creating requirements, the AWG needs for the new JSON format
-
Tagging
-
New fields for NVD’s needs
-
GitHubs proposal for packaging
-
No decisions were made.
-
Automation Working Group (AWG) – Lew Loren
–
AWG meeting was held on March 30, 2020:
-
90-day transition period to accommodate the transition from the Github submission service to the Entry Submission and Upload Service (ESUS). Barring any
concerns, we will start the transition period at the next planned AWG meeting on April 13. CNAs’ concerns about the transition time will be discussed at the April 13 meeting.
§
Lew explained the 4 phases:
-
Phase 1: Service is available, not connected to database
-
Phase 2: Same code, connect to database (dummy data)
-
Phase 3: Put it in the cloud and connect
-
Phase 4: Tested in the cloud, confident it works, then connect to system of record.
§
David suggested that the 90-day window starts at Phase 4.
§
Lisa Olsen explained that for her development team, a non-GitHub service will be less difficult.
§
David suggested clearly documenting the milestones: Clarify when the 90 transitions begins and when the other services (ID allocations services) are included in
the plan.
§
The group agreed to further discuss and address the concerns at the April 13 AWG meeting.
–
The current version of the JSON 5.0 schema is here.
§
Requirements for those changes
can be determined at least one month prior to the end of the transition period, and they are not prohibitively difficult to implement; they will be incorporated into the 5.0 schema.
§
Requirements
cannot be determined one month prior to the end of the transition period, or they are difficult to implement; they will be included in the 5.1 update.
-
Transition plan for the GitHub to Entry Submission and Upload Service developed. Refer to AWG meeting notes for detailed plan.
-
Entry Submission and Upload Service (ESUS):
It will take about another month before the Entry Submission and Upload Service (ESUS) is code complete.
-
Sprint process: The
next two weeks will be used as a dry run for the sprint process for ESUS development. We will have a corresponding dry-run of the sprint review in the SPWG meeting on April 13.
-
Strategic Planning (SPWG) – Kent Landfield
-
SPWG meeting was held on March 30, 2020:
-
Kent explained there was not as much participation last year, so he restructured the meeting to encourage more participation and productivity. Listed
below are the status updates:
-
CVE Board Charter updates in process, to include disbanding or pausing Working Groups.
-
AWG and SPWG working together on sprint process.
-
Draft CVE EOL process underway, to include CNA scope.
-
NVD submission guidelines, comments received and being discussed.
-
Zoom is on hold until the security issue is resolved.
-
Website development meeting being set up to review new website with WG chairs.
§
Received three CNA requests since the last CVE Board meeting (held on 3/18/20).
§
Conducted one onboarding sessions since the last boarding meeting.
§
No CNA onboarding sessions
scheduled.
-
CNA
Announcements and News
§
No CNA announcement since last CVE Board meeting.
§
There are now 116 CNAs participating in the program in 21 countries
§
87 in total CNA pipeline,
7 = Q2; 15= Q3, 15 = Q4 and 25 = Q1’20 so far
§
Four pending CNA announcements.
·
2 CNAs in process of preparing press releases.
·
Draft press release received for CNA1, the press release was reviewed, feedback was provided, and a quote was provided by the CVE Board (thank you Kent).
-
JPCERT - Jonathan Evans
-
Root CNA Prospects – Jonathan Evans/Jo Bazar
-
R-CNA1 Root update:
Jonathan and Jo met with R-CNA1and reviewed the list of tasks that need to be completed before becoming a Root. The timeline for R-CNA1 to be fully functioning is 90 days.
-
MITRE to develop a timeline for when milestones to be completed.
-
MITRE set up a meeting with R-CNA1
to discuss timeline and milestones.
§
CVE Website:
On the CNA participants section of the CVE website, need to update MITRE to include secretariat, Root CNA and Program Root CNA roles.
Action Items from Board
Meeting held on 1 April 2020
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
4.1.01
|
Update templates (Word, PowerPoint) with new CVE logo
|
Christine Deal (MITRE)
|
Not Started
|
Assigned on 4/1/2020
|
4.1.02
|
Lew and development team develop a more granular set of milestones for April 13, 2020 AWG meeting.
|
Lew Loren (MITRE)
|
Not Started
|
Assigned on 4/1/2020
|
4.1.03
|
Lew and Dave meet to review milestones before April 13th
AWG meeting.
|
Lew Loren MITRE)
|
Not Started
|
Assigned on 4/1/2020
|
4.1.04
|
Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.
|
Jo Bazar (MITRE)
|
Not Started
|
Assigned on 4/1/2020
|
4.1.05
|
Develop milestones and timeline for RCNA1
and set up follow up meeting in next two weeks.
|
Jo Bazar/Jonathan E. (MITRE)
|
Not Started
|
Assigned on 4/1/2020
|
4.1.06
|
Update CVE Website to include Secretariat next to MITRE.
|
Jo Bazar (MITRE)
|
Completed
|
Assigned on 4/1/2020
|
4.1.07
|
Formalize Council of Roots responsibilities in anticipation of new Roots joining the program
|
SPWG
|
Not Started
|
Assigned on 4/1/2020
|
None
Wednesday, April 15, 2020 at 2:00PM EDT