The US Cybersecurity and Infrastructure Security Agency (CISA) has affirmed its continuing support for the Common Vulnerabilities and Exposures (CVE) program.
“If we want to outpace and outmaneuver our adversaries, we must first ensure that defenders everywhere are operating from the same map. That’s what the CVE Program provides: a common lexicon of real, exploitable vulnerabilities,” Nick Andersen, Executive Assistant Director for Cybersecurity, stated on Thursday.
“CISA has been – and will remain – committed to the security, stability, and strategic direction of this mission-critical infrastructure.”
CISA’s plan
The CVE Program, established over 25 years ago, is currently sponsored by the US Department of Homeland Security through CISA’s National Cyber Security Division (NCSD).
It’s run by the CVE Board and the not-for-profit MITRE Corporation: the former makes the decisions and the latter administers the program.
After a period of uncertainty on whether or not CISA will continue funding the program, a last minute decison by the agency ensured funding until March 2026.
CISA now tells the world that the agency is committed to keep CVE data “free and openly accessible as a public good,” and says that the CVE Program “must be led with a commitment to conflict-free and vendor-neutral stewardship, broad multi-sector engagement, transparent processes, and accountable leadership.”
To strenghten the program, CISA is planning to:
- Accelerate the implementation of technological improvements (i.e, modernize)
- Ensure better representation of international organizations and governments, academia, vulnerability tool providers, data consumers, security researchers, operational technology, and open-source communities in the CVE Program and its advisory board
- Incorporate feedback from the (global) community into decisions regarding the development of the program
It’s also looking into finding ways to diversify the program’s funding, developing federated mechanisms to scale enrichment (e.g., Vulnrichment and the Authorized Data Publisher (ADP) capability), and wants help from industry and international governments to improve the completeness, accuracy, and timeliness of CVE records.
(Vulnerability data enrichment through the Vulnrichment program was established following the slowdown of the same effort by the the US National Institute of Standards and Technology’s National Vulnerability Database NVD, which is currently still playing catch-up.)
“We look forward to working with the community to find creative ways to achieve quality, improve the CVE schema, and forge ahead with innovative solutions that bring automation, machine learning, and artificial intelligence into the portfolio,” the agency said in its strategic focus document.
“If you would like to provide feedback on our vision and lines of effort or simply aren’t currently part of the CVE Program and have interest in contributing, please email us at [email protected].”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
