In a last-minute intervention, the US Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract for the Mitre-operated Common Vulnerabilities and Exposures (CVE) Programme, relied on by security professionals around the world to keep up to date on the latest publicly disclosed security vulnerabilities.
The future of the CVE Programme came into doubt earlier this week when a leaked letter from Mitre’s Yosry Barsoum warned that the contract pathway for the non-profit to run the programme was set to lapse within 24 hours.
Barsoum said that should a break in service occur, the programme would experience multiple impacts including “deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure”.
The revelation caused consternation around the world, with security professionals bracing for massive change in the industry as a result of the removal of what Mitre describes as a “foundational pillar” for the sector.
Agreement to extend the contract under which Mitre oversees the vital CVE Programme was reached late on Tuesday 15 April, but news of this only began to trickle out on Wednesday morning.
A CISA spokesperson said: “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
CISA additionally confirmed that the contract extension will last for 11 months.
Computer Weekly reached out to Mitre for further comment but the organisation had not yet responded at press time.
The narrowly averted disruption comes at a difficult time for the cyber security community as it works flat out to ward off a vast array of threats from financially motivated and nation-state threat actors.
At the same time, the industry must reckon with the impact of massive cuts being made across the US government by Elon Musk’s Department of Government Efficiency (DOGE). These cuts are now hitting America’s state cyber security apparatus including at the Department of Homeland Security (DHS) and CISA itself, which sits within the DHS.
According to reports, it is likely that CISA may be looking at a reduction in its workforce of between a third and 90%, which would have a significant impact on the agency’s ability to protect US government bodies and critical infrastructure from cyber threats, and internationally, its ability to collaborate with partner agencies such as the UK’s National Cyber Security Centre (NCSC).
CISA is also facing a comprehensive review of its activities over the past six years, focusing on instances in which its conduct may have run contrary to the purposes and policies established in Executive Order 14149, signed by president Trump on 20 January and titled Restoring freedom of speech and ending federal censorship.
This review comes alongside a deeper probe into former CISA leader Chris Krebs, who last week saw his federal security clearance, and those of his current employer SentinelOne, revoked by Trump, to the consternation of many.
Krebs was fired from CISA at the end of 2020 after he disputed Trump’s narrative that the presidential election had been rigged in favour of Joe Biden. Krebs and CISA had maintained there was absolutely no evidence of any interference.
