HomeIntelligenceBrief
BREACH BRIEF⚪ Informational Advisory

CISA Opens KEV Nomination Form, Allowing Researchers and Vendors to Report Actively Exploited Vulnerabilities

CISA has introduced a public nomination form that enables researchers, vendors, and industry partners to submit known‑exploited vulnerabilities for inclusion in its KEV catalog. The move aims to accelerate the identification and dissemination of critical threat information, reducing risk for organizations that rely on vulnerable software.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 helpnetsecurity.com
Severity
Informational
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
helpnetsecurity.com

CISA Opens KEV Nomination Form, Allowing Researchers and Vendors to Report Actively Exploited Vulnerabilities

What Happened — The Cybersecurity and Infrastructure Security Agency (CISA) launched a public nomination form that lets security researchers, vendors, and industry partners submit known‑exploited vulnerabilities (KEVs) for possible inclusion in its KEV catalog. Email submissions remain available for those who prefer the traditional route.

Why It Matters for TPRM

  • Early visibility into actively exploited CVEs helps third‑party risk teams prioritize patching of critical components.
  • Direct reporting reduces the lag between exploitation and catalog inclusion, shrinking the window of exposure for downstream supply‑chain partners.
  • A more current KEV list supports continuous monitoring programs and improves vendor risk assessments.

Who Is Affected — Government agencies, SaaS providers, MSPs, and any organization that consumes software or services listed in CISA’s KEV catalog.

Recommended Actions

  • Review your asset inventory against the KEV catalog and flag any listed components.
  • Accelerate remediation timelines for KEVs identified in your environment.
  • Incorporate the KEV nomination form into your vulnerability disclosure workflow to contribute intelligence and stay informed.

Technical Notes — The new form requires an assigned CVE, confirmed exploitation, and remediation guidance before a vulnerability can be added to the KEV list. No specific CVE is disclosed in this announcement. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/22/cisa-kev-nomination-form/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →