The Cybersecurity and Infrastructure Security Agency extended its contract for the MITRE-backed Common Vulnerabilities and Exposures Program late Tuesday night, following industry alarm sparked earlier in the day when the non-profit warned of an imminent end to federal backing for the cornerstone cybersecurity program that is relied on worldwide.
The company confirmed Tuesday that government funding needed to develop, operate and maintain its flagship vulnerability cataloging program would lapse Wednesday. Used extensively across sectors — from private industry to national intelligence agencies — the CVE Program has served as the de-facto global standard for 25 years to help classify cybersecurity vulnerabilities.
In a Wednesday morning statement, a CISA spokesperson said the contract is “invaluable” to the cybersecurity community and an agency priority.
“Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience,” the spokesperson said, noting that the extension is for 11 months.
The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier, designed to help security researchers, vendors and officials communicate consistently about the same issue. Agencies like CISA regularly issue vulnerability alerts using CVE-standardized language.
CISA’s announcement of the Tuesday night extension came just hours after a subset of the CVE Board said it plans to break off to maintain the program under a new body called the CVE Foundation.
“Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract,” the foundation’s announcement said. “While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”
Nextgov/FCW has asked MITRE for comment. It’s unclear how long the current extension will remain valid before CISA must initiate a new contract process in line with federal laws.
The news comes as CISA, MITRE’s main agency partner on the CVE Program, is expected to face significant reductions across several of its teams, including with contractors. Several contracts have already been terminated within the agency or have been left to lapse, according to two people familiar with the matter.
Last week, a top House lawmaker said he asked staffers working for Homeland Security Secretary Kristi Noem to carefully consider how to reduce the size of CISA because the agency does “have a mission to overwatch our critical infrastructure and make sure the bad guys aren’t getting in.”
Noem has vowed to conduct a broad reevaluation of CISA’s spending priorities amid several years of GOP accusations that the cyber agency helped censor conservative viewpoints online when it worked to take down mis- and dis-information during and around the time of the 2020 election.
“CISA needs to be much more effective, smaller, more nimble, to really fulfill their mission, which is to hunt and to help harden our nation’s critical infrastructure,” she said in January.
Editor’s note: This article has been updated to include the length of the extension.
