The Cybersecurity and Infrastructure Security Agency (CISA) plans to seek funding and input from international governments to support its Common Vulnerabilities and Exposures (CVE) Program, a senior official said Wednesday.
CVE, launched in 1999 by non-profit MITRE with sponsorship and oversight from the federal government and CISA, is used to catalog and share cybersecurity vulnerabilities with organizations to help identify and mitigate security risks.
After nearly undergoing a lapse in federal funding earlier this year due to a paperwork error, the CVE program is getting an update, CISA announced last week. The agency said that the program will focus on improving data quality and access while looking for diversified funding sources.
One place CISA will look for that funding comes from global organizations and governments outside of the United States, said Nick Andersen, executive assistant director for cybersecurity at CISA, speaking at a NextGov event on Sept. 17.
“As we look to sort of expand our governance structure within the CVE program … a lot of that’s going to mean international partnerships, bringing other governments to the table,” said Andersen.
“One of our key goals is to make sure that they feel like they’ve got ownership, and they’ve got … that seat at the table, because we want to limit at all the possibility of having a fractured vulnerability ecosystem and having multiple reporting chains and multiple different views of what are the enumerated vulnerabilities within the wider cyber ecosystem,” Andersen continued.
Currently, international partners already handle core technical work within the CVE program, but CISA’s new vision for the program would bring those partners into the CVE governance strategy.
Beyond giving international partners a greater stake in CVE, Andersen said being more inclusive will also help CISA shift the program toward “a quality era,” which means harmonizing data standards across international CVE numbering authorities and enriching vulnerability records with more context.
This would give defenders actionable insights into how exploits are being used in real-world environments.
“All of those things point to just sort of further enriching the context through which people can use this as a decision tool, not just a check box of ‘this CVE was published,’” explained Andersen.