The Cybersecurity and Infrastructure Security Agency said it remains firmly committed to supporting and further enhancing the Common Vulnerabilities and Exposures program, which is a critical program for identifying and mitigating software flaws that can expose computer systems to exploitation.
Nick Andersen, the new executive assistant director for cybersecurity at CISA, expressed staunch support for the CVE program during a discussion on Thursday at the Billington Cybersecurity Summit in Washington, D.C.
CISA on Wednesday released a road map that outlined its priorities for the CVE program, with the full intention to further develop the program and create a plan for robust funding and wider participation.
Andersen told reporters after the presentation that it’s “exceedingly important” for CISA to be able to grow and expand the program.
“The feedback that we’ve gotten consistently is people are looking for somebody to call objective balls and strikes out there,” Andersen said.
Among the key aspects of the program is identifying and prioritizing flawed software that needs to be patched or otherwise remediated in a way that security teams can mitigate their systems to protect against hacking.
The priorities outlined in the road map include the expansion of community members that participate in the program, including international partners, open-source experts, security researchers and others.
Additional discussions have revolved around developing additional sources of funding.
Mitre Corp. said it remains committed to the CVE program as a “critical global resource,” a spokesperson said.
“We look forward to continuing our support to CISA and CVE’s many partners to help realize this vision which will strengthen and position CVE for continued success in the years to come,” the spokesperson told Cybersecurity Dive via email.
The funding of the CVE program has been a major source of concern in recent months after Mitre warned the existing funding was set to expire earlier this year, leaving the future of the program in doubt. An agreement was reached to extend funding until early 2026, however, industry-wide discussions have been underway for months to address those concerns.
“While CISA is signaling commitment to funding, there have been no further developments or transparency around future funding beyond the 11-month extension that was executed at the last hour back in April,” Patrick Garrity, senior researcher at Vulncheck, told Cybersecurity Dive.
