Overview
- CISA published “CVE Quality for a Cyber Secure Future,” formalizing a shift from expansion to data quality with priorities on completeness, accuracy and timeliness.
- The agency asserts the program must remain publicly maintained and vendor‑neutral, warning that privatization could erode trust and jeopardize critical infrastructure, and noting KEV relies on CVE.
- The roadmap calls for accelerated automation, improved CNA services and APIs, minimum record standards, and federated enrichment through efforts like Vulnrichment and Authorized Data Publishers.
- CISA is broadening participation through new Consumer and Researcher Working Groups and seeks greater representation from international partners, industry, researchers, OT and open‑source communities.
- Program continuity is secured through March 2026 via an 11‑month MITRE contract extension as CISA evaluates diversified funding, while observers highlight MITRE’s omission from the document and a new CVE Foundation’s nonprofit stewardship push.