Mitre-backed cybersecurity program gets last minute save

Federal contractor Mitre, which has dual headquarters in McLean and Massachusetts, expected Wednesday to lose the federal funding needed to operate and maintain its nearly 26-year-old Common Vulnerabilities and Exposures (CVE) program, but a last-minute reprieve from the Cybersecurity and Infrastructure Security Agency (CISA) has prevented that from happening.

Established in September 1999, the CVE program has been run by Mitre and funded by contracts from CISA and the U.S. Department of Homeland Security (DHS). The program aims to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. It is continuously updated by the global cyber community and is described by Mitre as “a foundational pillar of the cybersecurity ecosystem,” relied on by organizations across industry, government, national security and critical infrastructure.

“The CVE Program anchors a growing cybersecurity vendor market worth more than $37 billion, providing foundational data to vendor products across vulnerability management, cyber threat intelligence, security information and event management, and endpoint detection and response,” a Mitre spokesperson said.

On Tuesday, a memo from Yosry A. Barsoum, vice president and director for Mitre’s Center for Securing the Homeland, to CVE board members indicated that the program was in jeopardy. The memo, which was circulated on social media and confirmed by Mitre, stated that the current contracting pathway for Mitre to develop, operate and modernize CVE and several related programs was set to expire on Wednesday.

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations and all manner of critical infrastructure,” Barsoum wrote ahead of the potential contract expiration.

However, Tuesday night CISA executed an option period to extend the contract with Mitre for an additional 11 months, ensuring there will be no lapse in critical CVE services. In a statement issued Wednesday, a CISA spokesperson said the CVE program is “invaluable” to the cyber community and a priority of CISA.

CISA did not respond to requests for additional comment.

Barsoum said in a statement Wednesday that, thanks to actions taken by the federal government, breaks in service to the CVE program and the Common Weakness Enumeration program were avoided.

“As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the programs operational,” Barsoum said. “We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry and government over the last 24 hours. The government continues to make considerable efforts to support Mitre’s role in the program, and Mitre remains committed to CVE and CWE as global resources.”

According to a Mitre spokesperson, after the 11-month extension is up, Mitre plans to work with its federal sponsors, the CVE board and the cybersecurity community on considerations for continued financial and community support of the program.

Earlier on Wednesday, some CVE board members issued a news release announcing that they were launching a new entity called the CVE Foundation to ensure that the program could have long-term viability, sustainability and independence

“Since its inception, the CVE program has operated as a U.S. government-funded initiative, with oversight and management provided under contract,” the foundation wrote. “While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”

The foundation said the concern became urgent following Tuesday’s letter from Mitre notifying the CVE board that the federal government didn’t intend to renew the contract for managing the program.

“While we had hoped this day would not come, we have been preparing for this possibility,” the foundation said. “In response, a coalition of longtime, active CVE board members have spent the past year developing a strategy to transition CVE to a dedicated, nonprofit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”

The foundation did not return requests for further comment.

Earlier this month, Mitre announced it planned to lay off 442 workers in Virginia by June 3. The announced cuts came after the Trump administration‘s Department of Government Efficiency (DOGE) said the government was canceling more than $28 million in contracts with Mitre. Launched by President Donald Trump and run by SpaceX and Tesla billioniare Elon Musk, DOGE identified the Mitre contract cancellations as part of its cost-cutting measures, according to G2Xchange, a company that tracks federal contracts.

Founded in 1958, the not-for-profit Mitre manages federally funded research and development centers, including the National Security Engineering Center, which delivers research, engineering and analytical solutions to the Department of Defense and the intelligence community.

Mitre has more than 60 sites worldwide, employing 10,000 workers. Mitre’s 200-plus labs develop innovations in applied science and technologies in sectors ranging from artificial intelligence, cybersecurity and quantum computing to maritime and aviation safety.