Press Release

CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program

Agency Unveils Upcoming Program Enhancements: Strengthening Partnerships, Modernization, Transparency and Elevating Data Quality and Responsiveness

Released

September 10, 2025

Related topics:

Cybersecurity Best Practices

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) released CISA Strategic Focus: CVE Quality for a Cyber Secure Future. The detailed roadmap identifies priorities that will elevate the program to meet the needs of the global cybersecurity community. The roadmap and priorities are informed by feedback the agency received from a broad spectrum of domestic and international partners and CISA’s years of program sponsorship. It marks the transition from the CVE Program’s Growth Era to its Quality Era, a strategic focus that will enhance trust, boost responsiveness and improve the caliber of vulnerability data.

The CVE Program stands as one of the world’s most respected and trusted cybersecurity public goods. The CVE Program has established itself as the global standard for vulnerability identification. This progress represents the CVE Program’s Growth Era, characterized by the successful recruitment of an extensive worldwide network of more than 460 CVE Numbering Authorities (CNAs). This network has contributed to exponential growth in the cybersecurity community’s capacity to identify, define, and catalog hundreds of thousands of vulnerabilities. As the CVE Program evolves to meet the needs of the global cybersecurity community, it must transition into a new era focused, above all, on trust, responsiveness, and vulnerability data quality.

CISA believes the CVE program must be led with a commitment to conflict-free and vendor-neutral stewardship, broad multi-sector engagement, transparent processes, and accountable leadership. CISA is committed to maintaining the CVE Program’s core principle: CVE data must remain free and openly accessible as a public good. This principle underpins coordinated cyber defense, enables innovation in security tooling, and empowers defenders across industry and government worldwide.

CISA’s vision for the future of the CVE Program includes:

Expansion of Community Partnerships: CISA aims to leverage its partnerships to ensure better representation of international organizations and governments, academia, vulnerability tool providers, data consumers, security researchers, operational technology, and open-source communities.
Government Sponsorship: As a critical public good, the CVE Program’s infrastructure and core services require ongoing investment from CISA. As suggested by many in the community, CISA is evaluating potential mechanisms for diversified funding.
Modernization: CISA is committed to accelerating the implementation of technological improvements.
Transparency and Communications: CISA will actively seek and incorporate community feedback into program roadmap decisions and maintain regular communications and engagement with global partners.
Data Quality Improvements: CISA will collaborate with industry and international governments to establish a new standardization including federated mechanisms to scale vulnerability data enrichment, like Vulnrichment and by expanding the Authorized Data Publisher (ADP) capability.

“Under CISA’s leadership and sponsorship, the CVE Program has continually evolved to reinvigorate, modernize and strengthen the framework. CISA remains fully committed to sustaining and enhancing this critical global cyber defense framework,” said Nick Andersen, Executive Assistant Director for Cybersecurity, CISA. “With this strategic vision, CISA is reaffirming our leadership role and seizing the opportunity to modernize the CVE Program, solidifying it as the cornerstone of global cybersecurity defense. In collaboration with the global cybersecurity community, CISA is committed to delivering a well-governed, trusted, and responsive CVE Program aimed to enhance the quality of vulnerability data and global cybersecurity resilience.”

For more information, please visit CVE: Common Vulnerabilities and Exposures.

###

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.

CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program

CISA to Highlight Agency’s Top Priorities to Secure America at 16th Annual Billington CyberSecurity Summit

CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide

CISA Announces Nicholas Andersen as New Executive Assistant Director for Cybersecurity

CISA and Partners Providing Real-Time Incident Response to Cyber Attack on State of Nevada

CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program

Related Articles

CISA to Highlight Agency’s Top Priorities to Secure America at 16th Annual Billington CyberSecurity Summit

CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide

CISA Announces Nicholas Andersen as New Executive Assistant Director for Cybersecurity

CISA and Partners Providing Real-Time Incident Response to Cyber Attack on State of Nevada