The Cybersecurity and Infrastructure Security Agency wants to involve more international partners in overwatching a long-standing cyber vulnerability cataloging project, which narrowly avoided vast defunding earlier this year, a top official said Wednesday.
The Common Vulnerabilities and Exposures Program faced a near complete lapse in government funding in April when MITRE, the research giant that supports much of the program’s functions, warned of an imminent end to federal backing for the cornerstone cybersecurity project. The lapse was reversed within hours after outcry from the cybersecurity community.
The European Union’s cybersecurity agency, dubbed ENISA, for instance, is one desired organization to involve in the program, said Nick Andersen, the agency’s executive assistant director for cybersecurity.
“That’s a great example of somebody we want to bring in closer into the fold, to say again, as a global community, how can we really take a better look — more holistic look — at CVEs and what it means for defenders worldwide?” he said in an on-stage interview at a Nextgov/FCW cybersecurity event.
The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each software flaw is assigned a unique identifier, designed to help security researchers, vendors and officials more effectively communicate about the same issue.
“There are lots of other stakeholders here, outside of exclusively the U.S.,” added Andersen. “One of our key goals is to make sure that they feel like they got ownership, and they’ve got that seat at the table.”
The agency is looking at ways to expand on community partnerships and improve data quality standards for vulnerability information shared with the private sector and overseas governments, it said in a paper issued last week that sought to outline forward-looking commitments for the CVE project.
Domestically, Andersen doesn’t foresee handing off management of the program to another agency like the National Institute of Standards and Technology, though he “absolutely” expects more engagement to occur with other U.S. agencies.
CVE board members were reportedly left in the dark amid the near funding collapse in April. Asked about how the close call unfolded behind the scenes, Andersen said it was a contract administration processing issue and added that everyone could agree that federal contracting could be more efficient and faster.
“Can I agree that the message, and the way it came out with MITRE, caused an awful lot of consternation with the community? Yep, I certainly can, and I can understand that, but the fact of the matter is, we are fully committed,” he said.
In April, CISA’s announcement of the contract extension came just hours after a subset of the CVE Board said it planned to break off to maintain the program under a new body called the CVE Foundation. The group aims to “support the transition of the CVE Program from a single funding stream to a diversified and stable funding model,” its website says.
Andersen said he couldn’t speak for the entire agency and whether other officials have interacted with the foundation and mentioned that he himself has not been in touch with its members.
