CISA's 11-Month Extension Ensures Continuity of MITRE's CVE Program
The fate of a 25-year-old cybersecurity program that has been a cornerstone of global security for decades hangs in the balance as its funding is set to expire on April 16, 2025. The Cybersecurity and Infrastructure Security Agency (CISA) has extended MITRE's CVE program contract by an additional 11 months, ensuring continuity of this critical vulnerability tracking resource.
MITRE's U.S.-funded CVE program is a vital tool for cataloging public security vulnerabilities and has assigned over 274,000 CVE IDs to date. The program relies on a network of CVE Numbering Authorities (CNAs), which include major technology companies, research organizations, and government agencies. These CNAs are responsible for assigning CVE IDs to vulnerabilities discovered in their respective domains, providing timely and accurate documentation of security issues.
Yosryy Barsoum, MITRE's vice president and director of the Center for Securing the Homeland (CSH), warned that a service disruption could have significant impacts on vulnerability databases, tools, incident response, and critical infrastructure. "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum said.
Barsoum's warning came as the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs was set to expire on April 16, 2025. However, in a move that has alleviated concerns, CISA extended MITRE's CVE program contract just before its expiration, ensuring uninterrupted vulnerability tracking for at least another 11 months.
According to CISA, the CVE Program is "invaluable to the cyber community and a priority of our agency." The extension of MITRE's contract is seen as a major victory for the CVE program, which has been a cornerstone of global security for decades. The formation of the CVE Foundation has also marked an important step towards eliminating a single point of failure in the vulnerability management ecosystem.
"The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative," said the CVE Foundation. "For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today's threat landscape."
The extension of MITRE's CVE program contract is a testament to the importance of continued investment in global cybersecurity resources. As the threat landscape continues to evolve, it is essential that programs like CVE remain robust and reliable.