The Mandate, Mission, and Momentum to lead the CVE Program into the Future belongs to CISA
In today’s high-threat environment, our adversaries are exploiting vulnerabilities faster than ever before—and with greater strategic intent. They’re executing deliberate, targeted campaigns against our infrastructure, our institutions, and the trust that underpins our economy. At CISA, our charge is clear: shift the advantage back to the defender.
One of the most effective ways to do that is through the Common Vulnerabilities and Exposures (CVE) Program, a critical cyber framework we have sponsored for more than a decade. If we want to outpace and outmaneuver our adversaries, we must first ensure that defenders everywhere are operating from the same map. That’s what the CVE Program provides: a common lexicon of real, exploitable vulnerabilities. CISA has been—and will remain—committed to the security, stability, and strategic direction of this mission-critical infrastructure.
Over the past year, we’ve seen significant debate around the future of the program. That conversation is healthy. It shows the CVE Program matters. But let me be absolutely clear: there is no national cyber defense without a reliable, government-led system for vulnerability identification. Fragmentation, privatization, or industry capture of this function would not only erode trust in the system—it would put American lives and infrastructure at risk.
The Known Exploited Vulnerabilities (KEV) Catalog would not be possible without the underlying CVE Program coupled with CISA’s unique operational insights. The CVE Program serves as the backbone of cyber defense, powering the entire threat-informed defense model by providing consistent identifiers and descriptive metadata about vulnerabilities. This data must be universally accessible, structured, trusted, and maintained by a neutral steward: America’s Cyber Defense Agency, in coordination with our international and industry partners.
Over the past several years, CISA, MITRE, and the CVE Board have modernized and refined the program and reaffirmed our commitment to making the program resilient, inclusive, and community-driven. We do this not by dictating outcomes from Washington, but by inviting developers, security researchers, international partners, and private-sector leaders to shape the future of the program together.
The facts are simple: The mandate, mission, and momentum to lead this program into the future belongs to this agency. CISA is accountable to the American people to protect the nation’s critical infrastructure to ensure long-term continuity and mission focus. Suggestions to privatize the CVE Program or move to other alternative stewardship model might sound appealing, but the implications are serious. Private entities, even with the best intentions, face conflicts of interest, prioritizing shareholder value over national security.
The newly released CISA Strategic Focus: CVE Quality for a Cyber Secure Future outlines our path forward: the shift from our “Growth Era” to our “Quality Era” and a focus on improving the completeness, accuracy, and timeliness of CVE records; enhancing program governance; expanding international and private sector participation; and ensuring sustainable, secure infrastructure for the long haul. This is what defenders need. This is what the community expects. And this is what we will deliver.
If you're a cybersecurity practitioner, you already rely on the CVE Program—whether you realize it or not. Now, we ask that you lean in, engage with us, and share your expertise to help build the next evolution of this national asset.
Together, we are defending forward. Together, we are strengthening America’s cyber resilience and beyond.