INCIBE will be the only Spanish government organization responsible for the designation and disclosure of vulnerabilities on an international level

Has been authorized to perform the responsibilities of a CVE Number Authority (CNA) Program, which is sponsored by the Cybersecurity and Infrastructure Security Agency, of the U.S. Department of Homeland Security


The Spanish National Cybersecurity Institute (INCIBE), entity under the Ministry Economic Affairs and Digital Transformation, has been appointed a CVE Numbering Authority (CNA)

CNA program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), of the United States Department of Homeland Security (DHS). As CNA, INCIBE will become the only reference in Spain for the Assignment of CVE IDs in the field of Information Technologies, industrial systems and Internet of Things (IoT) devices.

Vulnerabilities are weaknesses in a device's computational logic, located in software and hardware components. If these vulnerabilities are exploited they would have a negative impact on the confidentiality, integrity, or availability of those computers and the information they contain.

Rosa Díaz, Corporate General Manager of INCIBE, highlighted "the importance of coordination and collaboration, both national and international, with competent agents in this field, essential for sharing information and helping to improve industrial systems".

As CNA, the only Spanish organization competent for the designation of the standard CVE identifier for vulnerabilities existing on a particular device affecting its sector and activity, INCIBE will be responsible for the study, management, documentation, public allocation and disclosure of such vulnerabilities, co-ordination with other agents in this area.

CVE (Common Vulnerabilities and Exposures) is the unique, common identifiers for publicly known security vulnerabilities. This program is de facto international standard for identifying and naming cybersecurity vulnerabilities.  When a problem is discovered on those devices, it analyzes whether the error has been discovered previously and, if not, is assigned an identifier.

“INCIBE rightfully recognizes the value of international cybersecurity coordination for mutual cyber resilience. I personally laud their team commitment to protecting IoT devices especially across the Spanish government and commercial infrastructures. We welcome INCIBE to the global CNA team“ said Scott Lawler, CEO LP3 and CVE Board Member.

In addition, together with the organizations responsible for the products affected by these vulnerabilities, INCIBE will be responsible for assisting in the mitigation of the detected security issue, publishing the corresponding updates and patches to resolve the incident.

INCIBE will follow five basic steps in the coordination process, provided that one of the agents involved has notified it of a potential vulnerability: collection, analysis, coordination, mitigation and dissemination. More information CVE Assignment and publication.