MITRE, a non-profit research giant, confirmed to Nextgov/FCW that the U.S. government funding required to create, run, and maintain its flagship Common Vulnerabilities and Exposures Program will expire on Wednesday. The CVE Program, which was first introduced in 1999 and is widely used across sectors, from national intelligence agencies to private industry, offers a standardized framework for identifying vulnerabilities and is essential to vulnerability management practices.
The CVE Program offers a standardized system for identifying and cataloguing publicly known cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier, which is intended to help security researchers, vendors, and officials communicate consistently about the same issue. Organizations such as the Cybersecurity and Infrastructure Security Agency regularly issue vulnerability alerts using CVE standardized language. According to a statement from Yosry Barsoum, director of MITRE’s Center for Securing the Homeland, funding for related programs run by the organization, including the Common Weakness Enumeration program, will also expire tomorrow.
“The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource,” Barsoum said.
Rumors regarding the expiration in funding appeared Tuesday after an internal memo supposedly issued to CVE board members from Barsoum made its way across social media. MITRE informed Nextgov/FCW that the communication was sent to the CVE board on Tuesday morning and verified its authenticity.
The notification cautioned, “We expect several effects on CVE in the event of a service interruption, including degradation of national vulnerability databases and advisories, tool vendors, incident response activities, and various critical infrastructure.”
According to its website, the CVE Program has cataloged about 275,000 data. It also keeps historical information on its GitHub repository.
A MITRE spokesperson stated, “There is still active work continuing for DHS agencies underway at MITRE, and we are in communication about ways we can continue to support DHS’s mission.” The announcement coincides with earlier reports that CISA, which collaborates with MITRE on the CVE Program, is anticipated to undergo significant cuts across several of its teams, including with contractors. According to two people familiar with the situation, several contracts have already been terminated within the agency or allowed to lapse.
Since CISA does “have a mission to overwatch our critical infrastructure and make sure the bad guys aren’t getting in,” a top House lawmaker said last week that he asked Homeland Security Secretary Kristi Noem’s staffers to carefully consider ways to reduce the agency’s size. House Science Committee Ranking Member Zoe Lofgren, D-Calif., and Committee on Homeland Security Ranking Member Bennie Thompson, D-Miss., referred to the funding lapse as “reckless and ignorant,” stating that it will compromise cybersecurity globally.
A spokesperson for DHS did not immediately respond to a request for comment. A CISA spokesperson stated that the U.S. cyber agency is the primary sponsor for the CVE Program and that it is “urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.” They said in a statement that the Common Vulnerabilities and Exposures Program ensures that every service, device, and system is removing discovered vulnerabilities. “From your personal computer to the electric grid to nuclear facilities — they all rely on the CVE. Eliminating this contract will allow malicious actors to operate in the dark.”
As the National Institute of Standards and Technology has found it difficult to keep up with the volume of cyber vulnerabilities submitted to its own repository program, the National Vulnerability Database, funding for MITRE’s cyber vulnerability program has been cut.