The Cybersecurity and Infrastructure Security Agency has inked a last-minute funding extension for a key cyber vulnerability management program.
CISA’s contract with MITRE to manage the Common Vulnerabilities and Exposures, or CVE, program was set to expire on Wednesday. But after an outcry from the cybersecurity community, CISA executed an 11-month option period for MITRE’s contract on Tuesday night.
“The CVE program is invaluable to the cyber community and a priority of CISA,” a CISA spokesperson said on Wednesday. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
The CVE program is a public database of known security vulnerabilities in software and hardware. It’s relied on by organizations across the world to manage cyber vulnerabilities in products and services. CISA’s “Known Exploited Vulnerabilities” database, for instance, relies on CVEs to prioritize how quickly federal agencies must patch bugs on the list.
A lapse in funding could have led to the “deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” according to a MITRE letter widely shared on social media Tuesday.
Scores of cyber leaders, including former CISA Director Jen Easterly, rallied around the program.
Ben Radcliff, senior director of cyber operations at Optiv, said the CVE program’s role as a central repository of vulnerability management alerts and tools for security researchers is unique.
“MITRE is really in a class by itself in this context, so reconfiguring these tools to pull threat and vulnerability data from secondary sources would not be a trivial task, and achieving the same level of reliability and quality of alerts would not be guaranteed,” Radcliff said.
“Additionally, the security community’s ability to respond to zero-day events would be significantly weakened,” he continued. “Bug hunters would need to revert to notifying software vendors directly and security teams would be entirely reliant on the vendors themselves to issue security bulletins.”
So when CISA extended MITRE’s contract, there was an audible sigh of relief across the cyber industry.
But the last-minute turmoil over the CISA contract has also sparked new conversations about the future of the CVE program – and the government’s role in it.
Peter Allor, a member of the CVE Board that oversees the program, said on LinkedIn that the incident shows “it is time for a change for the CVE program.” He said the U.S. government should no longer solely fund and control a program used across the world.
Meanwhile, he charged that CISA had not been “straight and truthful with the program and notably to the CVE Board.”
“This was a game of chicken on who pays,” Allor added.
Allor and other CVE board members on Wednesday announced the formation of a new “CVE Foundation.” The goal of the group is “to ensure the long-term viability, stability, and independence” of the CVE program, according to a press release.
The Foundation said it will be releasing more information on its plans in the coming days.
Lawmakers push extension of key cyber authorities
Sens. Gary Peters (D-Mich.) and Mike Rounds (R-S.D.) on Wednesday introduced a bill that would extend the Cybersecurity Information Sharing Act of 2015 for another decade. The current law expires Sept. 30.
Proponents of the law say it has proved critical in incentivizing companies to voluntarily share information about cyber threat indicators, software vulnerabilities, malware, and other information with the government.
“As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” Peters said in a statement. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.”
The law provides private companies with certain liability protections for voluntarily sharing data with the government. Major industry groups earlier this year urged House and Senate leadership to pass an extension of the law.
But implementation of the information sharing law has faced its challenges. A report from the Department of Homeland Security’s inspector general last year found CISA’s program for voluntarily sharing cyber threat information recently declined to its lowest level since 2017.
OCC shares more on major cyber incident
The Office of the Comptroller of the Currency is sharing more information about a recent breach of its email systems. The OCC is an independent bureau under the Treasury Department.
In a Monday letter to bank CEOs, acting Comptroller of the Currency Rodney Hood said that the February breach involved an “unauthorized user accessed a number of OCC user accounts, including emails and attachments, via a service account with administrative-level privileges.”
The OCC disabled the compromised account, but not before the hackers were able to access some sensitive information. Earlier this month, the OCC informed Congress that the breach qualified as a major cyber incident under the Federal Information and Security Modernization Act, or FISMA.
“The OCC and one of its contractors are currently working to review the content of all compromised email communications and attachments, including determining whether any of the compromised information has been found on the dark web,” Hood told CEOs. “Information that was accessed includes financial supervision information provided by OCC supervised institutions and non-public OCC information. Efforts to determine if any bank customer information was compromised are ongoing.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
