Following last week’s last-minute move to prevent a disruption to the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reaffirmed on Wednesday the CVE Program’s vital role as a public resource essential to both network defenders and software developers. Matt Hartman, CISA’s acting executive assistant director for cybersecurity, clarified that the situation stemmed from a contract administration issue, not a funding shortfall, which was resolved before any lapse occurred.
The CVE program has continued without interruption, and CISA remains fully committed to maintaining and enhancing this cornerstone of national cyber infrastructure. The move ensures that MITRE will continue operating the CVE program for at least another 11 months after federal cybersecurity officials confirmed that they temporarily extended their contract with the organization to keep the platform running.
“CISA is proud to be the sponsor for the CVE program, a role we have held for decades,” Hartman wrote in a press release. “During this time, the CVE Program has gone through many evolutions, and this opportunity is no exception. MITRE, CISA, and the CVE Board have transformed this program into a federated capability with 453 CVE Numbering Authorities (CNAs). This growth has enabled faster and more distributed CVE identification, providing valuable vulnerability information to the public and enabling defenders to take quick action to protect themselves.”
He added that the agency has historically been and remains very open to reevaluating the strategy to support the continued efficacy and value of the program.
“We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program,” Hartman detailed. “We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.”
