CNAs
Organisations authorised to assign CVE identifiers within the MITRE/CISA framework.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for CNAs
KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
Cybersecurity: Threats and Defences- What is a CVE Numbering Authority?
- A CVE Numbering Authority (CNA) is an organisation authorised by MITRE to assign CVE identifiers to software vulnerabilities within a defined scope, such as a vendor's own products or a national CERT's constituency.
- How does an organisation become a CNA?
- Organisations apply to become a CNA through MITRE or an existing CNA-LT sponsor. They must define a clear scope, demonstrate capacity to follow CVE Counting Rules, and pass a review process including test assignments.
- Why is ENISA expanding its CNA programme?
- ENISA is expanding the EU's CNA network to build sovereign vulnerability-identification capacity across member states, reducing reliance on US-managed CVE infrastructure and improving coordination of EU-originated security disclosures.Source: event
Background
CVE Numbering Authorities (CNAs) are organisations authorised by MITRE — which operates the CVE programme under CISA funding — to assign CVE identifiers to vulnerabilities within their defined scope. A CNA's scope may cover a vendor's own products, a research community, a national computer emergency response team (CERT), or a third-party coordinating organisation. As of 2026, more than 400 CNAs operate globally. The hierarchy runs from MITRE as the CVE Programme Root, through CNA-LT (CNA of Last Resort) nodes, down to individual CNAs and sub-CNAs. CNA-LT nodes can also onboard and oversee new CNAs within their regional or sectoral scope.
The CNA model was established to distribute the burden of vulnerability identification and assignment, reducing the bottleneck at MITRE. CNAs must follow the CVE Counting Rules and CVE Assignment Rules, and are accountable for the completeness and accuracy of the CVE records they publish. Disputes about scope or assignment can be escalated to the CNA's parent CNA-LT.
In U#3, ENISA (the European Union Agency for Cybersecurity) onboarded four new CNAs under the ENISA Root on 6 May 2026 , expanding the EU's national CERT and sectoral coverage. This is part of ENISA's role as a CNA-LT and the EU's broader push to reduce dependency on US-managed vulnerability infrastructure and build out sovereign cyber capacity.