The U.S. government funding needed for non-profit research giant MITRE to develop, operate and maintain its flagship Common Vulnerabilities and Exposures Program will expire Wednesday, the company confirmed to Nextgov/FCW.
Used extensively across sectors — from private industry to national intelligence agencies — the CVE Program provides a standardized framework for identifying vulnerabilities and plays a central role in vulnerability management practices. It was first launched in 1999.
Funding for related programs run by the organization, such as the Common Weakness Enumeration program, will also expire tomorrow, Yosry Barsoum, who directs MITRE’s Center for Securing the Homeland, said in a statement.
The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier, designed to help security researchers, vendors and officials communicate consistently about the same issue. Agencies like the Cybersecurity and Infrastructure Security Agency regularly issue vulnerability alerts using CVE standardized language.
“The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource,” Barsoum said.
Rumors about the expiration in funding surfaced Tuesday when an internal memo purportedly sent to CVE board members from Barsoum made its way across social media. MITRE confirmed the legitimacy of the message to Nextgov/FCW and said it was sent to the CVE board Tuesday morning.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the notice warned.
The CVE Program has cataloged nearly 275,000 records, according to its website, and also stores historical records on its GitHub repository.
The news comes as CISA, which partners with MITRE on the CVE Program, is expected to face significant cuts across several of its teams, including with contractors, according to previous reports. Several contracts have already been terminated within the agency or have been left to lapse, according to two people familiar with the matter.
“There is still active work continuing for DHS agencies underway at MITRE, and we are in communication about ways we can continue to support DHS’s mission,” a MITRE spokesperson said.
Last week, a top House lawmaker said he asked staffers working for Homeland Security Secretary Kristi Noem to carefully consider how to reduce the size of CISA because the agency does “have a mission to overwatch our critical infrastructure and make sure the bad guys aren’t getting in.”
House Science Committee Ranking Member Zoe Lofgren D-Calif. and Committee on Homeland Security Ranking Member Bennie Thompson, D-Miss. called the funding lapse “reckless and ignorant” and said it will undermine cybersecurity around the world.
“The Common Vulnerabilities and Exposures Program makes sure every service, device, and system is removing discovered vulnerabilities,” they said in a statement. “From your personal computer to the electric grid to nuclear facilities — they all rely on the CVE. Eliminating this contract will allow malicious actors to operate in the dark. We call on the Department of Homeland Security to fully restore funding to this program before catastrophe strikes.”
A spokesperson for DHS did not immediately respond to a request for comment. A CISA spokesperson said the U.S. cyber agency is the primary sponsor for the CVE Program and that it is “urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
The loss of funding for MITRE’s cyber vulnerability program comes as the National Institute of Standards and Technology has struggled to keep up with the number of cyber vulnerabilities submitted to its own repository program, the National Vulnerability Database.
This article has been updated to include additional comment from MITRE, CISA and lawmakers.
