FAQ

CISA (Cybersecurity and Infrastructure Security Agency) is a U.S. government agency. It is responsible for protecting the critical infrastructure of the United States against cyber and physical threats, by providing support, tools, and recommendations to administrations, businesses, and the public.

In the cybersecurity field, CISA acts as a coordination center to prevent cyberattacks, respond to incidents, share threat information, and promote best security practices. Although based in the U.S., its role and resources influence cybersecurity practices worldwide, thanks to its transparency and leadership.

CISA plays a central role in managing vulnerabilities on a large scale. It identifies, evaluates, and actively communicates about security flaws that could impact critical infrastructure, including government services, essential service operators, and large enterprises. It often collaborates with MITRE, software vendors, security researchers, and other international agencies.

Among its responsibilities, it publishes security bulletins, coordinates responses to major vulnerabilities, and sometimes mandates remediation deadlines for certain flaws in public entities through federal directives (BODs). Its goal is to reduce the time between the discovery of a vulnerability and its effective mitigation in the field.

The KEV (Known Exploited Vulnerabilities) list published by CISA identifies vulnerabilities that are actively exploited in the wild, meaning they are already being used in real-world cyberattacks. The purpose of this list is to help organizations prioritize their remediation efforts by focusing on the flaws that present an immediate threat.

By publishing this list, CISA provides a very practical risk management tool: it highlights not only known flaws, but also the most critical and urgent ones. For U.S. federal agencies, remediation of these flaws is mandatory within strict deadlines. Beyond the U.S., the KEV list is widely consulted by cybersecurity professionals worldwide to guide their patch management strategies.

CVE identifiers are assigned by a U.S. non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not assign all identifiers itself: it relies on a network of partners known as CNAs (CVE Numbering Authorities).

A CNA can be a software vendor, a security provider, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or scope. This system speeds up the disclosure process while maintaining a centralized structure via MITRE.

A CVE is simply a public declaration that a flaw exists in a given product, whereas an exploited vulnerability means that an attacker is actively using that flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions—some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE—this is known as a zero-day. To assess the real danger of a CVE, one should consult additional information such as CISA’s KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly on our CVEFind website.