MITRE Corporation’s funding from the federal government was expected to deplete today, according to an email sent out by the organization. However, the Cybersecurity and Infrastructure Security Agency (CISA) has announced it is extending support for MITRE to prevent a lapse in payments. 

MITRE manages the Common Vulnerabilities and Exposures (CVE) database and is responsible for identifying, describing and categorizing publicly disclosed cyber vulnerabilities. This work allows cyber and IT professionals to stay up to date on bugs and potential hacks.

The possibility of a lapse in MITRE’s services alarmed the cybersecurity community. Jason Soroko, Senior Fellow at Sectigo, explains why, stating, “A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained.” 

At this time, the purpose for potentially ending the contract is unclear. There are also no immediate details on what continued funding will look like. 

Casey Ellis, Founder at Bugcrowd, remarks, “CVE underpins a huge chunk of vulnerability management, incident response and critical infrastructure protection efforts. A sudden interruption in services has the very real potential to bubble up into a national security problem in short order.” 

What happens now?

Darren Guccione, CEO and Co-Founder at Keeper Security, believes now more than ever is the time for the government to bolster cybersecurity. 

“Focus on critical cybersecurity programs should be prioritized now, more than ever, in the face of growing threats from malicious nation-states and cybercriminals,” Guccione says. “The CVE funding scare comes at a time when cyber threats are growing in both volume and sophistication. Nation-state actors — particularly from China, Russia, Iran and North Korea — continue to engage in persistent cyberespionage and disruption campaigns against United States interests. Ransomware gangs and cybercriminal syndicates exploit known vulnerabilities to steal, extort and disrupt organizations.”

Rather than halt funding for organizations such as MITRE, Guccione believes that the government should continue investing in them. 

“Now is the time for our government to invest in cybersecurity programs and solutions that increase our nation’s readiness and resilience,” asserts Guccione. “Along with vulnerability identification and disclosure, modern frontline tools such as cloud-based password and privileged access management should be funded and implemented, as the bedrock of protection for U.S. businesses, government and critical infrastructure alike.”

Although CISA has prevented the end of MITRE’s contract for now, the possibility of losing MITRE’s database worries many cyber leaders. Eric Schwake, Director of Cybersecurity Strategy at Salt Security, says, “The potential loss of funding for the MITRE-operated CVE program raises significant concerns within the cybersecurity community. The CVE system serves as a fundamental component of vulnerability management, offering a standardized method for identifying, describing, and tracking publicly recognized security vulnerabilities, including those impacting API implementations. A lack of consistent funding could severely disrupt the program’s capacity to assign and maintain CVEs, resulting in delays in vulnerability disclosures, inconsistent identification of flaws in APIs and other software, and ultimately heightening risks for organizations that depend on CVE data for security updates and mitigation strategies. This situation highlights the urgent need for stable and ongoing support for the CVE program to guarantee the continued efficacy of global vulnerability management efforts, especially given the increasing complexity and importance of API security.”

Read more about a new update on this situation here.