The Cyber Express reported on April 15 that MITRE’s contract to run the Common Vulnerabilities and Exposures (CVE) Program was expiring, causing concern in the cybersecurity community. However, those fears were alleviated when the Cybersecurity and Infrastructure Security Agency (CISA) announced today that it would be extending the contract for 11 months.
In a statement to The Cyber Express, a spokesperson for CISA emphasized the importance of the CVE Program to the cybersecurity community and stated that there would be no lapse in critical CVE services thanks to the contract extension. This decision was made to ensure the continuity of the program despite uncertainties about its long-term future.
The initial panic arose following a letter from Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland, warning of the impending expiration of the contract. Barsoum highlighted the potential impacts of a break in service, including the deterioration of national vulnerability databases, advisories, tool vendors, incident response operations, and critical infrastructure.
MITRE responded to media inquiries by confirming the funding expiration date and reaffirming its commitment to the CVE Program as a global resource. The organization stressed the program’s value to the cybersecurity industry, serving as a foundational data source for various cybersecurity services.
In anticipation of the contract extension, MITRE assured that historical CVE records would remain available on GitHub and directed interested parties to the official CVE.org website for more information. Barsoum expressed gratitude for the government’s actions to prevent a service interruption and reiterated MITRE’s dedication to the CVE and CWE Programs.
Former CISA Director Jen Easterly underscored the importance of the CVE Program in a LinkedIn post, highlighting the serious implications for business risk, operational resilience, and national security. Easterly emphasized the program’s critical role in modern cybersecurity, noting that any disruption would have significant consequences.
The potential contract expiration also coincided with an ongoing backlog in processing CVEs in the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST). With a large number of new vulnerabilities discovered each year, NIST faces challenges in managing the influx of new vulnerabilities.
Overall, the extension of the MITRE CVE contract provides reassurance to the cybersecurity community regarding the continuity of essential CVE services. As the program remains a pillar of cybersecurity, its sustained operation is crucial for maintaining the integrity and security of critical systems and infrastructure.