CISA Signals Possible Government Takeover of CVE Program With Release of New Roadmap

A new roadmap for the future of the CVE program released by CISA does not provide much in the way of specific illuminating details, but when paired with recent comments by its new executive assistant director points toward plans for the US government to step in and take control of the program sometime prior to its 2026 funding deadline.

The roadmap provides some more general information about CISA’s plans for the program, such as increased participation by a range of stakeholders and better handling of vulnerability prioritization. The future plans hint in part at US intent to once again pick up funding, but executive assistant director Nick Andersen has made even more explicit statements pointing toward direct agency involvement and an increased role.

CISA rejects privatization of CVE program

The CVE program roadmap does not detail specific plans for future funding, but does explicitly reject the idea of privatizing the program. The more illuminating information here comes from comments from Andersen, former head of cybersecurity for the Energy Department during Trump’s first term, made at the recent Billington Cyber Conference.

Andersen indicated that though the administration has generally had a poor relationship with CISA, there was never any real intent to defund the CVE program and that getting new funding in place has only been a matter of contract issues and some sort of “workflow” problem; the program is broadly seen throughout government as a vital cyber defense tool.

This would represent a major change in expected direction, with MITRE seemingly anticipating US support to drop off after the current contract ends in early 2026. Options that had been discussed include participation by other governments and donations from private sources, with the CVE Foundation formed as a nonprofit seemingly to facilitate those options. CISA signaled opposition to this development, citing specifically the national security concerns that could be created by bringing private sector partners in.

Improved prospects for the CVE program?

At the moment, MITRE only has funding for the CVE program until March 2026 (after exercising the right to a contract extension in April of this year that bought it 11 more months). The organization has committed to putting up the existing catalog on GitHub as an emergency measure should the funding run out, but between the new CISA developments and other signals from potential partners this now seems very unlikely.

The roadmap indicates that new funding may well not just mean business as usual, but improvements to the CVE program in necessary areas: transparency, collaboration, and responsiveness to the most serious vulnerabilities among them. Of course, nothing is certain. Trump’s personal squabbles with CISA, which he has declared was a partisan force working against him in the prior election, always add an unpredictable element. So too do his sweeping budget cuts that began shortly after he took office. But the administration seems to have seen the value of the program and is taking the approach of running the agency its own way rather than starving or abandoning it.

Excerpt: “Though the Trump administration has generally had a poor relationship with CISA, there was never any real intent to defund the CVE program and that getting new funding in place has only been a matter of contract issues and some sort of “workflow” problem.”