I’ve been saying for a while that I don’t think that CISA (the Cybersecurity and Infrastructure Security Agency, part of DHS) would continue to fund MITRE’s contract to run the CVE Program when it comes up for renewal this March. I mainly said that because I didn’t think CISA would want to fund this contract anymore. After all, starting in January 2025, CISA’s workforce was decimated, to the point where they expected to end the year with 31% of the number of employees that they had at the beginning of the year (I don’t known whether CISA achieved that laudable (?) goal, but if they didn’t, I’m sure it wasn’t for lack of trying).
Also, CISA deliberately forced some of their most valuable employees (the ones who hadn’t already quit) to resign by “transferring” them to an office of ICE or FEMA office in another city – and giving them only seven days to decide whether to accept the transfer. Since CISA was so focused on cutting costs and was terminating other contracts early, why would they fight to keep a $40 million contract, especially since the CVE Foundation has lined up more than enough funding to take it over?
However, CISA really doesn’t want to give up the contract. They have been mounting a serious pressure campaign to make sure it stays with them; they seem to be winning that battle. This means that in March, CISA is likely to sign another one-year contract with MITRE to run the CVE Program, after the five or six they’ve already signed. MITRE will probably continue on a course not very different from their course over the last 5-6 years.
But here’s the bad news: A lot of people in the vulnerability management community have been upset with the CVE Program for years because of numerous problems like a) missing information in many CVE records (especially CVSS scores and CPE names), b) inaccurate or missing product, vendor and version information, c) lack of machine-readable version range information, etc. They complain that, when they bring problems directly to the CVE Program, they either don’t get any response or they’re simply told the issue has been noted and will be addressed when time permits – but time never seems to permit, since they never hear anything more about it.
Unfortunately, these people don’t seem to understand the First Law of Government Contracting: A contractor never agrees to undertake more work than what is specifically required by their contract – that is, unless the agency that approved the contract is willing to sign a Change Order and send it over, accompanied by a fat check (and since annual budgets can only be increased in dire circumstances, this is rarely done before the next contract renewal).
These people also don’t understand the First Corollary to the First Law of Government Contracting: The only time the agency that pays the contractor has any real leverage to get the contractor to agree to do more work is during contract renewal negotiations. Thus, the people who have made these complaints need to make them to CISA.
But CISA has been paying for the MITRE contract for years. Given that complaints about the CVE Program have been appearing in LinkedIn and other forums for years, has CISA ever made an effort to gather up all the complaints they can find, identify for example the top five, and then press MITRE to address them in the next contract? I doubt it. And I’m positive they haven’t done this in the past year, given the chaos that now reigns at CISA.
Therefore, it’s likely that MITRE’s next contract with CISA won’t include any significant changes, other than ones that MITRE can accept without requiring a major cost increase. Maybe, when they start negotiating the 2027 contract, CISA will reach out to the CVE community to find out what changes they would like to see. However, I wouldn’t bet the farm on that, either.
On the other hand, I know the CVE Foundation was considering a lot of ideas for improvements to the CVE Program and would have had serious discussions with MITRE about addressing at least the most important of those in the new contract. Since I believe the Foundation has enough monetary commitments from organizations and governments worldwide to support a sizable increase in MITRE’s contract, and since all the board members of the Foundation are current board members of CVE.org (which oversees the MITRE contract for CISA), some literally for decades, I was optimistic there would have been big improvements in the CVE Program, had the Foundation been able to control the contract.
This is why I say it’s good news that the MITRE contract will be renewed this year, but it’s bad news that CISA, rather than the CVE Foundation, will remain in control of the contract.
Will this turn into a “Good News, Bad News, but finally Good News” story?
I’ve heard some very sketchy information to the effect that, just because the CVE Program remains under CISA’s control, this doesn’t mean that vulnerability identification and classification (which is of course what the CVE Program does) is itself at a dead end. I’m told there may be an important announcement sometime this month regarding that subject.
But that’s all I know.
If you would like to comment on what you have read here, I would love to hear from you. Please comment below or email me at [email protected].
Tom Alrich’s Blog, too is a reader-supported publication. You can view new posts for one month after they come out by becoming a free subscriber. You can also access my 1300 existing posts dating back to 2013, as well as support my work, by becoming a paid subscriber for $30 for one year (and if you feel so inclined, you can donate more than that!).