After narrowly avoiding a lapse in its funding earlier this year, the Common Vulnerabilities and Exposures (CVE) Program is getting an update, the Cybersecurity and Infrastructure Security Agency (CISA) announced on Wednesday.
The agency said the program’s focus will shift toward improving data quality and access.
The CVE Program was launched in 1999 by non-profit MITRE – with sponsorship from the federal government and oversight by CISA – to catalog and share cybersecurity vulnerabilities with organizations to help identify and mitigate security risks.
The new roadmap is based on feedback CISA received from domestic and international partners and aims to “enhance trust, boost responsiveness and improve the caliber of vulnerability data.”
“This progress represents the CVE Program’s Growth Era, characterized by the successful recruitment of an extensive worldwide network of more than 460 CVE Numbering Authorities,” said CISA officials. “As the CVE Program evolves to meet the needs of the global cybersecurity community, it must transition into a new era focused, above all, on trust, responsiveness, and vulnerability data quality.”
Specifically, that new era focuses on scaling, modernization, and raising standards, a CISA fact sheet laid out, sharing the agency’s plans to broaden the CVE advisory board to better reflect the global cybersecurity ecosystem by pulling in expertise from governments, academia, open-source developers, tool providers, and researchers.
Data quality improvements will be made through increased collaboration with industry and international governments to improve CVE minimum standards for record quality, which CISA said will be done through federated mechanisms that scale vulnerability data enrichment. The agency said it will also work with the cybersecurity community to improve CVE data quality, including considering methods that use artificial intelligence and machine learning.
Automation will also play a role in accelerating modernization, which would help expand CVE program offerings, CISA added. Under the update, the agency will raise the bar on responsiveness and transparency in its role as a “CNA of Last Resort.”
The way the program is funded may also change, according to CISA, which said that while sustained government funding is important, it is also considering diversified funding options.
In April, the CVE Program was just hours away from a lapse in federal funding that is responsible for developing, operating, and modernizing the program.
After MITRE warned members of the CVE Board that a break in funding would deteriorate the program, CISA extended the contract with MITRE for an additional optional period of 11 months, set to end early next year.
“CISA remains fully committed to sustaining and enhancing this critical global cyber defense framework,” said Nick Andersen, executive assistant director for cybersecurity at CISA. “With this strategic vision, CISA is reaffirming our leadership role and seizing the opportunity to modernize the CVE Program, solidifying it as the cornerstone of global cybersecurity defense.”