In a surprising move, the US Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract with Mitre, which manages the Common Vulnerabilities and Exposures (CVE) Program. This program is crucial for security experts worldwide, helping them stay informed about the latest security vulnerabilities.
Earlier this week, concerns arose when a letter from Mitre’s Yosry Barsoum leaked, indicating that the contract to run the program was set to expire in just 24 hours. Barsoum warned that a gap in service could lead to serious issues, like a decline in national vulnerability databases and advisories, affecting tool vendors and critical incident response operations.
The news sparked worry among security professionals, who anticipated significant disruptions in the industry if the CVE program—deemed a “foundational pillar” by Mitre—was sidelined. Just late Tuesday night, April 15, representatives reached an agreement to extend the contract, but details only surfaced on Wednesday morning.
A CISA spokesperson confirmed the extension, emphasizing the importance of the CVE Program. They noted, “The CVE Program is invaluable to the cyber community. Last night, we executed the option period on the contract to ensure no interruptions in critical CVE services.” This extension will last for 11 months.
Yosry Barsoum later stated, “Thanks to government actions, we’ve averted a break in service for both the CVE and Common Weakness Enumeration (CWE) Programs. As of April 16, CISA has designated incremental funding to maintain operations. We appreciate the widespread support for these programs from the global cyber community.”
This relief comes during a challenging time for cybersecurity teams grappling with various threats from both financially motivated cybercriminals and state-sponsored hackers. At the same time, the industry is reeling from significant budget cuts across the US government, initiated by Elon Musk’s Department of Government Efficiency (DOGE). These cuts are impacting the cybersecurity capacity of agencies like the Department of Homeland Security (DHS) and CISA.
Reports suggest CISA may face workforce reductions of 30% to 90%. Such cuts could cripple the agency’s ability to shield US government bodies and critical infrastructure from cyber threats, limiting international collaborations with partners like the UK’s National Cyber Security Centre (NCSC).
Moreover, CISA is under a comprehensive review of its activities over the past six years. This scrutiny is examining aspects that may conflict with Executive Order 14149, signed by President Trump, aimed at curbing federal censorship.
This review coincides with investigations into Chris Krebs, a former CISA chief, who recently had his security clearance revoked by Trump, along with that of his current employer, SentinelOne. Krebs was dismissed from CISA in late 2020 after he publicly contradicted Trump’s claims about election fraud, asserting there was no evidence of interference.
This content has been updated to include a statement from Mitre.