Transparency questions remain: Despite the apparent funding stability, the contract itself remains largely opaque, even to members of the CVE board.A source close to the CVE program, who requested anonymity to preserve working relationships with CISA and MITRE, described the agreement as reassuring but lacking transparency.”It’s a mystery contract with a mystery number that has been agreed to and passed,” the source said. “The good news is people don’t have to worry. But now that they don’t have to worry, now is the time to ask the hard questions.”Those questions include how the program will be modernized, how its performance will be measured, and whether its governance structure should evolve.In his statement to CSO, CISA’s Andersen said, “CISA, in collaboration with the global cybersecurity community, is committed to enhancing data quality, modernizing infrastructure and services, improving governance processes with more diverse representation, among other lines of effort.”One CVE board member has repeatedly requested access to the MITRE-CISA contract at successive board meetings, according to people familiar with the discussions. MITRE has declined those requests, citing legal protections around the agreement between the two organizations. A separate Freedom of Information Act request for the contract has also gone unanswered.”If you’re saying you’re doing it for the public good and the greater good, it’s incumbent upon you to say how you are measuring good,” Allor said. “That’s an open question, and it can’t be secret.”The CVE board itself, expanded to 24 members in recent years, functions largely as an advisory body, while MITRE retains final decision-making authority over program operations.
Global alternatives begin to emerge: The near-collapse of the CVE program last year triggered a wave of contingency planning across the cybersecurity ecosystem.The CVE Foundation began exploring governance models that would reduce reliance on a single US government funding source. At the same time, the European Union Agency for Cybersecurity began developing its own vulnerability identification framework, which has since launched.An ENISA spokesperson said the agency remains committed to the CVE ecosystem but does not have visibility into the program’s funding arrangements. “ENISA is part of the CVE Program and remains committed to contributing to the global CVE community and supporting coordinated vulnerability management,” the agency said in a statement.Private-sector organizations also took steps to hedge against potential disruption. Vulnerability intelligence firm VulnCheck, for example, reserved blocks of CVE identifiers to ensure continuity if the numbering system faltered.Even with the funding scare resolved, those efforts are unlikely to disappear. Structural concerns about governance and long-term independence continue to drive interest in complementary or alternative systems.Some European stakeholders, in particular, remain uneasy about a critical piece of global cybersecurity infrastructure depending on a single US government contract.”There are some European people who don’t want to point their technical data directly at a US-funded government thing,” the source familiar with the CVE program said. Discussions have reportedly begun about potentially amending the EU’s Cyber Resilience Act to reference an identifier managed by ENISA rather than CVE.Allor said he expects CISA to expand its international engagement around the program in the coming months in response to those concerns. “I think there are countries within the EU, and I know of at least three countries external to the EU that were complaining about it,” he said. “I think the folks at CISA heard that loudly.”Last September, CISA outlined its “vision” for the CVE program, pledging to strengthen international partnerships and improve representation of governments and organizations outside the United States, a signal of renewed commitment following last year’s scare.
A warning the industry won’t forget: Even as the immediate funding crisis fades, the institutional environment surrounding CISA remains unsettled. The agency has faced budget cuts, leadership turnover, and staff reductions, and it has gone more than a year without a Senate-confirmed director.For now, however, the vulnerability catalog that serves as the cybersecurity industry’s common language remains funded and operational.But the events of last year revealed how dependent the global security ecosystem has become on a single US government contract, and sparked a broader debate about whether the governance and funding of such critical infrastructure should be more transparent, more international, and less fragile.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4142600/cve-program-funding-secured-easing-fears-of-repeat-crisis.html
