Planned NDAA amendment would codify CISA’s role in cyber vulnerability program

A contracting scare that briefly cast uncertainty over a key cyber vulnerability-tracking program is prompting lawmakers to add a measure to the annual defense authorization bill that would establish the program within the Cybersecurity and Infrastructure Security Agency.

The proposal would formally house the Common Vulnerabilities and Exposures program under CISA, require a joint modernization plan with the National Institute of Standards and Technology and push officials to improve the public vulnerability data used by agencies, companies and security researchers to assess cyber risk, according to the text of the planned amendment viewed by Nextgov/FCW.

CVE provides a standardized methodology for logging publicly known security vulnerabilities. Each flaw is assigned a unique identifier, designed to help researchers, vendors and officials more effectively communicate about the same issue. It first launched in 1999, and is used today by organizations across the private sector and the national intelligence enterprise.

The program faced a contracting debacle last spring when MITRE, the non-profit research giant that funds much of CVE’s functions, warned of an imminent end to federal backing for the project during an efficiency-driven purge of several contracts at CISA. 

The matter was addressed within hours amid outcry from the cybersecurity community, but it ignited discussions over the long-term stability of a system that much of the cybersecurity community deems critical for day-to-day work. 

The proposed NDAA measure is significant because, if passed, it would give CISA a formal, legal role in managing the premier global catalog used across the cybersecurity world to identify, track and prioritize software flaws. 

The amendment text reviewed by Nextgov/FCW does not name a sponsoring lawmaker. CISA declined to comment on the proposed measure.

The proposal would also create a 15-member CVE Board to set the program’s policies and priorities, with permanent seats for CISA, NIST and top-level CVE authorities. Rotating members would come from industry, academia, the research community and foreign governments.

It would also put greater weight behind vulnerability enrichment — the process of adding context about a flaw’s severity and how hackers may exploit it — by making it part of CVE’s formal mission and directing the program’s board to set policies for what information CVE records should include.

Earlier this year, EU cybersecurity chief Hans de Vries told an audience at the RSAC Conference in San Francisco that Europe wants to assist with and help modernize the program.

In the same discussion, a top House Homeland Security Committee staffer previewed the measure. 

“While CISA is certainly authorized to execute this program, it’s not specifically tasked with doing it, which, as an oversight committee, makes it harder for us to hold an agency accountable for executing a task,” said Moira Bergen, who leads cyber policy work for the Democratic side of the panel. 

The House Armed Services Committee approved its version of the fiscal 2027 defense bill earlier this month, sending it to the Rules Committee ahead of expected floor consideration. The Rules panel has told members to submit proposed amendments by 5 p.m. Thursday.

The Senate Armed Services Committee also advanced its own version of the bill last week. Once both chambers pass their versions, negotiators from both chambers will have to reconcile differences between the two before a final defense policy package can reach the president.

Editor's note: This article has been updated to note that CISA declined comment.