CISA Opens KEV Nomination Form, Allowing Researchers and Vendors to Report Actively Exploited Vulnerabilities
What Happened — The Cybersecurity and Infrastructure Security Agency (CISA) launched a public nomination form that lets security researchers, vendors, and industry partners submit known‑exploited vulnerabilities (KEVs) for possible inclusion in its KEV catalog. Email submissions remain available for those who prefer the traditional route.
Why It Matters for TPRM —
- Early visibility into actively exploited CVEs helps third‑party risk teams prioritize patching of critical components.
- Direct reporting reduces the lag between exploitation and catalog inclusion, shrinking the window of exposure for downstream supply‑chain partners.
- A more current KEV list supports continuous monitoring programs and improves vendor risk assessments.
Who Is Affected — Government agencies, SaaS providers, MSPs, and any organization that consumes software or services listed in CISA’s KEV catalog.
Recommended Actions —
- Review your asset inventory against the KEV catalog and flag any listed components.
- Accelerate remediation timelines for KEVs identified in your environment.
- Incorporate the KEV nomination form into your vulnerability disclosure workflow to contribute intelligence and stay informed.
Technical Notes — The new form requires an assigned CVE, confirmed exploitation, and remediation guidance before a vulnerability can be added to the KEV list. No specific CVE is disclosed in this announcement. Source: Help Net Security