CNAs (plural) and address issue CVEProject#7.

Signed-off-by: Art Manion <zmanion@protonmail.com>

CNA_Rules.md

@@ -435,6 +435,8 @@ CNAs are constrained to assigning CVE IDs to Vulnerabilities within their Scope
 
 4.2.20 To help minimize duplicate assignments, CNAs SHOULD consider coordinating with an appropriate Root or CNA-LR before assigning CVE IDs for Publicly Disclosed Vulnerabilities. See 4.2.1.2 for more specific guidance.
 
+4.2.21 CNAs SHOULD assign the year portion of a CVE ID based on the calendar year in which the vulnerability was first publicly disclosed.
+
 ### 4.3 Notification
 
 4.3.1 When a CNA becomes aware of a non-public Vulnerability report, CVE ID request, or CVE ID assignment that is only covered by the Scope Definition of a different CNA, the first CNA SHOULD either refer the reporter or requester to or attempt to notify the appropriate CNA.
@@ -486,7 +488,7 @@ This section specifies actions related to publishing and managing CVE Records.
 
 4.5.2 Publishing Vulnerability Information
 
-4.5.2.1 CNA MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records. Such information SHOULD meet the public references requirements in [5.3](#53-public-references) and MAY be used as a public reference (see 5.3.1.1).
+4.5.2.1 CNAs MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records. Such information SHOULD meet the public references requirements in [5.3](#53-public-references) and MAY be used as a public reference (see 5.3.1.1).
 
 4.5.2.2 Supplier CNAs MUST have at least one distribution point, such as a web site, where the CNA publishes Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records. This Vulnerability information MUST reference appropriate CVE IDs.