LAS VEGAS — Two Cybersecurity and Infrastructure Security Agency officials committed to supporting the MITRE-backed Common Vulnerabilities and Exposures Program, just months after it faced a near complete lapse in funding.
Used extensively across sectors — from private industry to national intelligence agencies — the CVE Program provides a standardized framework for identifying computer vulnerabilities and plays a central role in vulnerability management practices. It was first launched in 1999. Agencies like CISA regularly issue alerts using CVE-standardized language.
CISA is “heavily invested” in it and will “continue to fund the CVE Program and continue to improve the CVE Program,” said Chris Butera, acting executive assistant director in CISA’s cybersecurity division, speaking to a large audience at the Black Hat cybersecurity conference in Las Vegas, Nevada, alongside Robert Costello, CISA’s chief information officer.
The vulnerability standard is “really central to all of our cybersecurity operations,” Butera added.
Costello concurred, saying it’s an “extremely powerful tool, and it works extremely well.”
In mid-April, CISA extended its CVE contract following industry alarm sparked just hours prior, when MITRE warned of an imminent end to federal backing for the cornerstone cybersecurity project.
The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each software flaw is assigned a unique identifier, designed to help security researchers, vendors and officials communicate consistently about the same issue.
The remarks represent some of the cyberdefense agency’s most forceful public support for the program to date, despite recent cuts to contracts and staffing tied to the Trump administration’s broader push to curb government size and spending.
Butera underscored the significance of the CVE Program in tracking vulnerabilities and cited its role in addressing recent Microsoft SharePoint disclosures that affected several government agencies, including the Department of Homeland Security and the Department of Energy.
“We have to have that exact, unique way to identify the specific vulnerability that we’re talking about. And in the SharePoint case, there’s four different CVEs involved, right? And so we had to have that specific, unique identifier attached to the vulnerability so we were all talking about the same thing. And without the CVE Program, we don’t have that.”
