Global Edition
Government & Policy

CISA extends CVE program contract for 11 months

The initial expiration of MITRE's contract for the Common Vulnerabilities and Exposures Program was a shock to many cybersecurity experts. But the Cybersecurity and Infrastructure Security Agency quickly pledged that there would be no lapse in service.
By Andrea Fox
April 16, 2025
02:29 PM

Photo: IronHeart/Getty Images

A last-minute reprieve from the U.S. Department of Homeland Security looks to have spared the Common Vulnerabilities and Exposures Program for now.

"The CVE Program is invaluable to the cyber community and a priority of CISA," a spokesperson from the DHS' Cybersecurity and Infrastructure Security Agency said Wednesday. 

WHY IT MATTERS

Operated by the non-profit MITRE, a defense research organization that has also provided ransomware support for hospitals and health systems, the CVE program is an essential component of CISA's mission and part of its Cyber Hygiene Services for healthcare and other industries. MITRE's contract to support the CVE and Common Weakness Enumeration (CWE) programs was set to expire on April 16.

"For the benefit of the cybersecurity community and network defenders – and to help every organization better manage vulnerabilities and keep pace with threat activity – CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild," the agency says on its website.

In his letter to CVE board members on Tuesday – which was shared in a social media post by Jen Easterly, former CISA director and now CEO of Evenstar Cyber – Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, listed several cybersecurity concerns.

"If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations and all manner of critical infrastructure," he said.

Easterly called it "one of the most important pillars of modern cybersecurity," and said that "losing it would be like tearing out the card catalog from every library at once – leaving defenders to sort through chaos while attackers take full advantage."

Healthcare IT News asked CISA if and when the CVE services might end or change, how new CVEs would be added to the database going forward and if another entity would be taking up the mantle of the work.

Without providing specifics, an agency spokesperson indicated by email Wednesday that CISA took action to protect the integrity of the cardinal resource and extended the contract 11 months.

"Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services," the spokesperson said. "We appreciate our partners’ and stakeholders’ patience."

THE LARGER TREND

CISA has funded the development of the CVE reference system for software vulnerabilities to minimize discovery efforts and costs by cybersecurity stakeholders across industry and government. 

MITRE has researched and maintained the CVE knowledge base since the Department of Homeland Security launched this effort in the 1990s.

Easterly described what is at stake without a properly maintained global catalog, including an inability for cybersecurity teams to assess priorities for patching and the breakdown of automated security tools that rely on CVEs. 

Essentially, archiving the CVE would hobble CISA's efforts to prioritize software flaws and warn the public sector, she said, noting that it would also mar global cyber coordination efforts to defend against global cyber threats.

Cyber threat actors search networks for software vulnerabilities, and they've proved to be successful entry points and back doors into networks despite the agency's Known Exploited Vulnerabilities catalog distributed under the Creative Commons 0 1.0 License in numerous formats. 

Many cyber breaches have been attributed to unpatched vulnerabilities, such as the largest 2021 breach of Florida Healthy Kids, which resulted in the exposure of 3.5 million individuals' personal information. Investigations showed that attackers had access to numerous unpatched CVEs accessible on its website since 2013.

ON THE RECORD

"Thanks to actions taken by the government, a break in service for the [CVE] program and the [CWE] Program has been avoided," Barsoum told Healthcare IT News by email on Wednesday. "CISA identified incremental funding to keep the programs operational.

"We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry and government over the last 24 hours," he added. "The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE and CWE as global resources."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Government & Policy, Privacy & Security

More regional news

Patient does a virtual care consult

Castlight Health intros virtual urgent care for members

By
Mike Miliard
April 18, 2025
HIMSSCast logo

HIMSSCast: Should every healthcare organization have an AI strategy?

By
Mike Miliard
April 18, 2025
Nurse checks tablet to communicate on shift

Zoom launches agentic AI-powered mobile comms for frontline staff

By
Andrea Fox
April 18, 2025
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Nurse checks tablet to communicate on shift
Zoom launches agentic AI-powered mobile comms for frontline staff

Most Read

Australia infuses $85M in digital mental health and more briefs
Roundup: AI and cloud tackle cyber risk and improve workflows
Chinese health players begin integrating DeepSeek
DEA's draft special telehealth reg rule should be tossed, healthcare orgs say
Oracle Health files QHIN application
Lack of AI governance poses threat to data security, new HIMSS research shows

Research

White Papers

More Whitepapers

Telehealth
Telehealth
Cloud Computing

Webinars

More Webinars

Analytics
Interoperability
Artificial Intelligence

Video

Ilir Kullolli, Stanford Medicine Children's Health_Las Vegas skyline Photo by halbergman/E+/Getty Images
HIMSS-ACCE working together to advance digital health
Vik Bajaj, Foresite Labs_Medical research Photo by Edward Jenner/pexels.com
Healthcare research is being affected by federal budget cuts
Priyanka Jain, Evvy_Hand holding sample vial Photo courtesy of Evvy
How one women's health startup tests fertility outcomes
Keisuke Nakagawa, UC San Diego Health_Las Vegas skyline Photo by halbergman/E+/Getty Images
Can technology help bring the human touch back to medicine?

More Stories

Lee Kim, HIMSS_Las Vegas skyline Photo by halbergman/E+/Getty Images
Past year's data breaches often stemmed from remediable cybersecurity gaps
Cathy Menkiena, Health Catalyst_Las Vegas skyline Photo by halbergman/E+/Getty Images
Innovative – and useful – tech is key to empowering care teams
Sameer Sethi of Hackensack Meridian Health on AI
Hackensack Meridian Chief AI Officer on the intersection of business and technology
Doctor checking and tracking information on a computer
HHS updates regulatory guides for the safe use of EHRs
Sameer Sethi, Hackensack Meridian Health_Computer neural network concept Photo by dan/Moment/Getty Images
Chief AI Officer on becoming one and working with the C-suite
Businessperson signing piece of paper
White House releases guidance on federal AI use and procurement
Dr. Ateev Mehrotra of Brown University School of Public Health on telehealth policy
Brown University policy expert talks about the future of telehealth flexibilities
Micky Tripathi, former HHS acting chief AI officer
Former National Coordinator headed to Mayo Clinic, reports say