At the inception of CVE in 1999, Candidate Naming Authorities (CNAs) were introduced as entities that could assist identifying and naming vulnerabilities. First a 'problem' was identified as a candidate - potential vulnerability - and given the prefix CAN e.g. CAN-1999-0345. This step could be done by a CNA.

For a candidate to become a published vulnerability, the CVE Board had to discuss, review, and vote on whether a candidate was a vulnerability (something done for every candidate). If the Board agreed, a candidate was given CVE status and the prefix changed accordingly, so CAN-1999-0345 became CVE-1999-0345. The final step of populating the CVE ID on the master, published list controlled by CVE, was done solely by CVE.

'Discussing, reviewing, and voting' on each candidate was a drawn out process and, as the number of vulnerabilities grew with each passing year, it became harder for CVE to handle the workload on its own. In 2016, CVE implemented process improvements and one of these was a 'new look' CNA program, where CNAs were renamed "CVE Numbering Authorities" (still CNA) and allowed to assign CVE IDs.