The Cybersecurity and Infrastructure Security Agency is charting a new path forward for the Common Vulnerabilities and Exposures program, with CISA’s top cybersecurity official looking to bring more “quality” to the CVE catalog.
Nick Andersen, CISA’s executive assistant director for cybersecurity, discussed the cyber agency’s support for the CVE program in his first public remarks at the Billington Cyber Conference on Thursday afternoon.
Andersen was sworn in earlier this month. He is a Marine veteran and previously served as the Energy Department’s top cybersecurity official during the first Trump administration.
His comments add more detail to a new “vision” CISA published on Wednesday, detailing next steps for the CVE program.
In the vision document, CISA said it’s exploring diversified funding sources for CVE, modernizing CVE infrastructure and expanding partnerships to bolster trust in the program. CISA is also eyeing data quality improvements to boost the usability of CVE.
“We’re talking about helping organizations to target what is it that’s most important? What is it, objectively, that’s happening within the threat environment?” Andersen said. “That can’t happen anyplace but within government. We have to make sure this is an opportunity to exist within a space that is going to be free from any potential influence, governed in a tight way with all of our international partners.”
The CVE program began in 1999 as a consistent way to publicly track known software vulnerabilities. The program has since grown to more than 460 CVE Numbering Authorities (CNAs), according to CISA.
“We have gone from our growth era to our quality era,” Andersen said.
CISA contributes a substantial amount of funding to the program through a contract with MITRE. But that contract nearly lapsed this spring, leading some to criticize CISA over a perceived lack of support and commitment to the program. Organizations involved in the program began exploring alternative funding and oversight arrangements.
Andersen said the near lapse was “just contract paperwork, workflow issues.”
“There was never any sort of demonstrated intent to not fund this program, to not execute a contract for this program,” Andersen said. “This is our baby. This is what we do. This is why this agency exists.”
He argued only the government can provide services like CVE in an “objective and impartial way.”
“This is what we’re going to do, and we’re incredibly dedicated to it, and our [vulnerability management] team is fired up about their ability to continue to push this thing to grow and mature,” Andersen said.
CISA 2015 reauthorization
Meanwhile, CISA is also preparing for the possibility that a key law, the Cybersecurity Information Sharing Act of 2015, will expire at the end of the month.
“It’s our responsibility to prepare for every eventuality,” Andersen told reporters after his remarks. “It is a critical tool in the toolkit. It has enabled sharing back and forth through the [Automated Indicator Sharing] program primarily.”
Andersen said many of the cybersecurity advisories that CISA publishes are based on information shared by industry .
“I just can’t underscore just enough how critical CISA 2015 is to the underlying success of the organization and being able to deliver on our mission,” Andersen said.
New National Cyber Director Sean Cairncross has also been pushing Capitol Hill to reauthorize the law before it expires Sept. 30.
But Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) is eyeing substantial changes to the law’s authorities, Politico reported today. The changes are likely to face opposition from many of his Senate colleagues and House lawmakers, potentially derailing efforts to reauthorize the law this month.
“We’ll take whatever the Congress decides to authorize us, wherever they see fit within their purview to authorize and to give us our authorities to be able to use,” Andersen said. “So at this point, I think my primary concern is, if it lapses, give us 30 days for the Congress to do what they need to do. Give us two years. Give us 10 years. Give us 50. We’ll take it. Obviously we love stability for the organization and stability for our partners to understand how we’re going to be able to protect and exchange information, but really, that’s up to Congress.”
CISA AI hackathon
CISA is also organizing an “AI Hackathon,” according to CISA’s acting director Madhu Gottumukkala.
Speaking at Billington on Thursday morning, Gottumukkala said the event will “solicit the best and brightest from U.S. academia to test AI systems for effectiveness, for transparency, use control, and also to test any of the security vulnerabilities.”
Under the White House’s AI Action Plan, the Department of Homeland Security is also exploring the establishment of an AI Information Sharing and Analysis Center, modeled after other ISACs for critical infrastructure.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
