Statement from Matt Hartman on the CVE Program

The CVE Program is an invaluable public resource relied upon by network defenders and software developers alike. As the nation’s cyber defense agency, it is a foundational priority for CISA. Recent public reporting inaccurately implied the program was at risk due to a lack of funding. To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure. 

CISA is proud to be the sponsor for the CVE program, a role we have held for decades. During this time, the CVE Program has gone through many evolutions, and this opportunity is no exception. MITRE, CISA, and the CVE Board have transformed this program into a federated capability with 453 CVE Numbering Authorities (CNAs). This growth has enabled faster and more distributed CVE identification, providing valuable vulnerability information to the public and enabling defenders to take quick action to protect themselves. We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program.  

We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.