CISA ultimately stepped in at the last minute, issuing an emergency 11-month contract extension that kept the system running but left the global security community bracing for another funding cliff this spring.
Nearly a year later, that stopgap has been replaced by what sources describe as a more durable arrangement. The CVE board was informed during its Jan. 21, 2026, meeting that there would be “no funding cliff in March” and that “ongoing operations and planning extend well beyond that timeframe,” according to meeting minutes later made public.
In a statement, Nick Andersen, acting director of CISA, told CSO, “Under CISA’s leadership and sponsorship, the CVE program is fully funded and has continually evolved and modernized to support the global vulnerability ecosystem.” Jordan Graham, a spokesperson for MITRE, said in a statement that “MITRE, in support of CISA, is committed to CVE as a critical global resource.”
