The Cybersecurity and Infrastructure Security Agency has published its plan to enhance its Common Vulnerabilities and Exposures, or CVE, program, which identifies and disseminates information about cyberthreats. The agency said Wednesday that the CISA Strategic Focus: CVE Quality for a Cyber Secure Future serves as a roadmap and details priorities to ensure that the program meets the needs of the global cybersecurity community.
The document was developed using feedback from domestic and international partners. According to the agency, it marks the transition of the CVE program from its ‘growth era’ to its ‘quality era.’
“With this strategic vision, CISA is reaffirming our leadership role and seizing the opportunity to modernize the CVE Program, solidifying it as the cornerstone of global cybersecurity defense,” commented Nick Andersen, executive assistant director for cybersecurity at CISA. “In collaboration with the global cybersecurity community, CISA is committed to delivering a well-governed, trusted and responsive CVE Program aimed to enhance the quality of vulnerability data and global cybersecurity resilience.”
Learn more about emerging security threats to the nation at the Potomac Officers Club’s 2025 Homeland Security Summit on Nov. 12. The in-person networking event will cover U.S. homeland security programs, efforts and strategic initiatives and the implementation of artificial intelligence and other advanced technologies. Grab your tickets before it is too late!
CISA Shares Vision for CVE Program
According to the document, CISA plans to modernize the CVE infrastructure through the adoption of advanced technologies. The agency intends to implement automation and other capabilities to enhance its CVE Numbering authorities, or CNAs, and expand application programming interface support.
CISA is also aiming to develop minimum standards for CVE record quality and federated mechanisms to ensure that all CNAs that publish a CVE record contain common vulnerability scoring system and common weakness enumeration data. The move is expected to improve data quality to support the future rollout of automation, machine learning and artificial intelligence.
In addition, the agency said it wants to form deeper partnerships through ensuring that international organizations, academia, vulnerability tool providers, data consumers, security researchers, operational technology companies and the open-source community are better represented in the program.
