Funding Expiration Threatens Crucial Cybersecurity Program

ARLINGTON, Va. — The U.S. government funding necessary for the non-profit research organization MITRE to operate its flagship Common Vulnerabilities and Exposures (CVE) Program will cease on Wednesday, April 16, 2025, as confirmed by MITRE to Nextgov/FCW.

The CVE Program, launched in 1999, plays an essential role across various sectors, including private industries and national intelligence agencies, by providing a standardized framework for identifying and cataloging cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier, fostering clear communication among security researchers, vendors, and officials.

Yosry Barsoum, MITRE’s Center for Securing the Homeland director, also indicated that funding for associated initiatives, such as the Common Weakness Enumeration program, will similarly end tomorrow. “The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE as a global resource,” Barsoum stated.

Concerns regarding the funding expiration arose when details from a message purportedly sent by Barsoum to CVE board members circulated on social media. MITRE confirmed the authenticity of this message, which warned of potential severe disruptions if services were to halt.

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases, advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the notice indicated. Presently, the CVE Program has cataloged nearly 275,000 vulnerabilities, with historical data also available on its GitHub repository.

This development comes amid expected budget cuts for the Cybersecurity and Infrastructure Security Agency (CISA), which collaborates with MITRE on the CVE Program. Reports indicate that several contracts have either been terminated or allowed to lapse, impacting CISA’s capabilities.

A MITRE spokesperson noted, “There is still active work continuing for DHS agencies underway at MITRE, and we are in communication about ways we can continue to support DHS’s mission.”

House Science Committee Ranking Member Zoe Lofgren, D-Calif., and Committee on Homeland Security Ranking Member Bennie Thompson, D-Miss., criticized the funding lapse, labeling it “reckless and ignorant.” They asserted that it threatens global cybersecurity efforts, emphasizing the importance of the CVE Program in ensuring the security of various systems from personal computers to critical infrastructures.

“Eliminating this contract will allow malicious actors to operate in the dark,” they stated. The lawmakers called for the Department of Homeland Security to restore full funding to the CVE Program before facing dire consequences.

A spokesperson for the Department of Homeland Security did not respond promptly to a request for comments. However, a CISA representative reaffirmed the agency’s commitment to being the primary sponsor of the CVE Program, stating that it is “urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”

The potential loss of funding for MITRE’s cybersecurity vulnerability program coincides with the National Institute of Standards and Technology’s (NIST) increased vigilance concerning the number of cyber vulnerabilities reported to its National Vulnerability Database.

This article has been updated to incorporate further comments from MITRE, CISA, and relevant lawmakers.