Sunday, September 14, 2025
Latest:

Threatshub.org sponsored-Post

The Register

All your vulns are belong to us! CISA wants to maintain gov control of CVE program

TH Author

The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new “vision” document it released this week signals that it now wants more control over the global standard for vulnerability identification.

CISA published a two-page summary of its vision board for CVE’s future this week, talking it up like a Taylor Swift tour: 2025, according to CISA, is the year CVE leaves its “growth era” for a “quality era” that CISA appears intent on dominating. Nicholas Andersen, CISA’s recently appointed Executive Assistant Director for Cybersecurity, made the agency’s vision for CVE’s future clear in a blog post published alongside the vision document: It’s a CISA joint.

“Over the past year, we’ve seen significant debate around the future of the program,” Andersen said. “But let me be absolutely clear: there is no national cyber defense without a reliable, government-led system for vulnerability identification.” 

That debate, we note, largely has to do with the fact that the CVE program came close to a shutdown earlier this year when CISA nearly let MITRE’s contract expire, before granting an 11-month extension through March 2026.

The CVE board, a volunteer group that advises the CVE program for nonprofit MITRE (which has operated the program with US government funds since 1999), was largely kept in the dark about the lack of funding, members told us earlier this year. That led some on the board to establish the CVE Foundation, pitched as a vehicle for diversified funding and vendor-neutral governance, independent of corporate or government control.

“The CVE Foundation vehemently believes the best path forward to preserve the critical service of the CVE Program is to transition it to a nonprofit entity with true international coordination, rigorous and transparent governance, and multiple funding sources from public, private, and nonprofit organizations,” the CVE Foundation said in July.

CISA doesn’t appear thrilled with that prospect.

“The facts are simple: The mandate, mission, and momentum to lead this program into the future belongs to this agency,” CISA’s Andersen said in his blog post this week. 

Suggestions to privatize the CVE Program or move to other alternative stewardship model might sound appealing, but the implications are serious

“Suggestions to privatize the CVE Program or move to other alternative stewardship model might sound appealing, but the implications are serious,” Andersen continued. “Private entities, even with the best intentions, face conflicts of interest, prioritizing shareholder value over national security.”

Over the past few years of the CVE program, Andersen added, CISA, MITRE and the CVE Board (under MITRE, not the CVE Foundation) had worked together to grow the initiative. “We do this not by dictating outcomes from Washington,” Andersen said. 

The vision document, we note, makes it pretty clear CISA may have realized it messed up and is now struggling to assert control of an internationally valuable program that it believes should be under its auspices. According to its vision document, the agency believes that those aforementioned conflicts of interest inherent in alternative stewardship models “reinforce the need for CISA to take a more active role in the long-term stewardship of the CVE Program.”

We asked CISA what that direct control would look like, but the agency wouldn’t answer our questions, instead directing us to the vision document and Andersen’s blog post. 

MITRE’s response wasn’t particularly enlightening either, with the nonprofit only expressing wishes that things would just go back to the way they used to be.

“MITRE remains committed to CVE as a critical global resource,” the organization told us in an email. “We look forward to continuing our support to CISA and CVE’s many partners to help realize this vision which will strengthen and position CVE for continued success in the years to come.”

CISA declined to answer questions about whether its funding of the CVE program had been extended beyond early 2026, or anything else about its vision for the program’s future.

Given the language in the vision doc and Andersen’s comments, the future of the CVE program is going to be a path laden with conflict, uncertainty, and trouble for those who rely on it. ®

READ MORE HERE