The country’s top cybersecurity agency is reiterating its support for the critical Common Vulnerabilities and Exposures (CVE) program, rolling out a roadmap that calls for greater community participation, modernization, and government sponsorship to ensure it remains vendor-agnostic.

CISA’s announcement this week and a two-page fact sheet the agency released come five months after the CVE program was thrown into turmoil after questions arose about continued government funding and members of the CVE Board that helped manage it announced a new non-profit organization that could be responsible for collecting, cataloging, and managing CVEs.

At the last minute, CISA announced it would continue funding the CVE program, at least temporarily. Now the agency is throwing its continued support behind and suggesting that it or another federal agency will oversee it.

“With this strategic vision, CISA is reaffirming our leadership role and seizing the opportunity to modernize the CVE Program, solidifying it as the cornerstone of global cybersecurity defense,” Nick Andersen, CISA’s executive assistant director for cybersecurity, said in a statement.

In the fact sheet, CISA said that over the past decade, the CVE program had become a pillar within the global cybersecurity industry, a period the agency called its “growth era.” Now comes its “quality era,” transitioning “into a new era focused above all on trust, responsiveness, and vulnerability data quality.”

MITRE Out of the Picture?

The CVE program provides a list of public cybersecurity vulnerabilities to foster a greater collective defense against threats. It assigns a unique CVE ID to each vulnerability and allows security researchers and teams to share data, collaborate, and more easily identify security flaws.

The program had been managed by the non-profit MITRE Corp. and had the assistance of the CVE Board. However, MITRE wasn’t mentioned in the fact sheet for the program’s future, and CISA argued that public sponsorship was important moving forward.

“It must be led with commitment to conflict-free and vendor-neutral stewardship, broad multi-sector engagement, transparent processes, and accountable leadership,” the agency wrote. “National security and public safety require government accountability, as demonstrated in other critical safety areas like automobiles, aviation, pharmaceuticals, and medical devices, to name a few. Software vulnerabilities require a similar level of accountability, given the ubiquity of software that underpins critical infrastructure systems.”

CISA: Public, Not Private

In proposing the private CVE Foundation in April, CVE Board members said they’d worried that operating as a government-funding entity, which comes with government oversight and management, damaged the program’s sustainability and neutrality, noting that a resource that corporations and countries around the world relied on shouldn’t be sponsored by a single government.

However, CISA argued that privatizing the platform would hurt its value as a public good. The incentive structure in the software industry can lead to tension for the private companies that need to decide whether to promote transparency downstream by fully disclosing vulnerabilities or minimize the disclosure to avoid economic or reputational harm.

“These built-in conflicts could have a detrimental impact on program transparency and the ability to continue standardizing disclosure practices through the public identification and cataloging of vulnerabilities,” CISA wrote. “In addition, although alternative stewardship models might seem appealing, they can lack stability and become vulnerable to undue financial pressures or contribution-driven influence.”

Expanding Public-Private Partnerships

Patrick Garrity, security researcher at VulnCheck, a vulnerability and exploit intelligence firm, said CISA’s statement about needing to take a more active role with the program “indicates the organization may assume the secretariat role in administering the program, and governance could shift to direct government oversight. This further illustrates the value of expanding public-private partnerships and forging strong community relationships.”

That includes in such areas as CISA’s Vulnrichment program of making CVE data more useful, which Garrity said was an important function at a time when the National Institute of Standards and Technology (NIST) has been struggling for more than a year to keep up with its own backlog of security flaws coming into its databases.

In its roadmap, CISA officials said the agency wants to expand its community partnerships to get a better representation among governments, international organizations, vulnerability tool vendors, data consumers, and others, and to improve its technologies. The agency also will be more communicative with community members, and to improve and scale vulnerability enrichment by working with industry players and international governments to create new standards.

‘A Good Starting Point’

Much of that sounds good to Garrity.

“The CVE program roadmap is a good starting point and underscores the need for reform across the program.” the security researcher said. “There are plenty of opportunities for improvement across areas that have presented persistent challenges, such as transparency, communication, responsiveness, timely execution and collaboration.”

Participants have long cited transparency and communication as areas needing improvement, he said, and the commitment to milestone reporting, regular dialogue, and engagement beyond traditional software suppliers is key to bridging trust gaps in the community.

“The emphasis to include security researchers, academia, open-source communities, and international partners helps address the need for better responsiveness, data enrichment across CVE records, and reinforces the importance of accountability,” Garrity said.