CISA’s CVE Program and Why it Matters for Zero Trust

The cybersecurity community earlier this year turned its attention to a Cybersecurity and Infrastructure Security Agency (CISA) program that supports government’s priorities in zero trust adoption.

The Common Vulnerabilities and Exposures (CVE) Program is a vital resource for software developers and cybersecurity professionals because it enables them to quickly identify and address security vulnerabilities. In the context of zero trust, this means gaining necessary visibility into what software systems may be vulnerable, CISA Associate Director of Vulnerability Management Sandy Radesky told GovCIO Media & Research.

“Because zero trust assumes there is no perimeter, organizations must individually secure every asset, device and connection,” she said.

CVE is operated under a partnership between CISA and the nonprofit R&D company MITRE. Originally founded in 1999, the program quickly gained traction within the security community.

CVE provides foundational situational awareness to enforce the premise that “no user or asset is to be implicitly trusted.” It’s a principle underpinning the five pillars of CISA’s Zero Trust Maturity Model that outlines requirements for continuous asset visibility and supply chain risk management.

“The CVE Program supports this by enabling organizations to identify vulnerable components in third-party software,” said Radesky. “CVE data informs real-time intelligence within intrusion detection and prevention systems, allowing defenders to isolate or reroute traffic involving vulnerable systems.”

CISA uses CVE data to pinpoint emerging vulnerabilities through Coordinated Vulnerability Disclosure (CVD), issue alerts and advisories, and populate the agency’s Known Vulnerabilities Catalog, driving a coordinated national response to active threats.

The program is recognized as the de facto global standard for vulnerability identification and is critical to enhancing the resilience of critical infrastructure and improving the nation’s overall security posture. The catalog, for example, serves as a dynamic list of vulnerabilities actively exploited across global networks.

In April, the program reportedly had neared a lapse in funding, prompting concern throughout the cybersecurity community. It was enough to spur CISA to issue a public statement clarifying there were no funding issues, rather the agency had been working to exercise its option period on the contract before the funding deadline.

“The CVE Program is an invaluable public resource relied upon by network defenders and software developers alike,” said Matt Hartman, CISA’s then acting executive assistant director for cybersecurity. “There has been no interruption to the CVE program, and CISA is fully committed to sustaining and improving this critical cyber infrastructure.”

AI Tools in Vulnerability Monitoring

Through the CVE AI Working Group, the program has been assessing impacts from artificial intelligence and assessing vulnerabilities specific to AI, said Radesky.

Currently a CVE-ID is assigned when AI software has an identified cybersecurity vulnerability. The group is exploring how to signpost what should happen with AI-specific vulnerabilities that are not cybersecurity related, she said. This might include changing some of the database’s structure to separate AI-specific vulnerabilities.

CISA officials say AI has a lot of potential in supporting vulnerability detection tools. With appropriate asset management and identification, AI tools can improve detecting instances of vulnerabilities in certain product types, such as low-power internet of things devices.

“CISA is also experimenting with AI tools to automate mapping of CVEs to common TTPs,” said Radesky. “This automation could enhance decision-making for cyber defenders by providing clearer insights into vulnerability exploitation and helping organizations make more informed choices about patching, mitigation strategies and resource allocation.”

Future of Vulnerability Detection Efforts

AI has introduced needs to continuously evolve cybersecurity efforts. For CVE, CISA will continue to pursue and receive community feedback into the stewardship of the program.

“We welcome new ideas, active participation, and meaningful collaboration between the private sector and international governments,” said Radesky. “Together we can achieve our like-minded goal to deliver the requisite stability and innovation to the CVE program.”

In the near future, the agency plans to release Cyber Performance Goals (CPG) that will correlate to the most recent update from National Institutes of Standards and Technology (NIST)’s Cyber Security Framework (CSF) version 2.0.

CISA also plans to extend CPGs in a self-service assessment format with a new release of ReadySetCyber (RSC).

“RSC is a solution aimed at helping organizations understand their cyber risk, provide immediate actions and prioritize investments,” said Radesky. “Our aim with this effort is to simplify and streamline access to the right information, ensuring that every organization can make informed decisions to enhance their digital security. With RSC users will be able to provide feedback on their experience, enabling us in return to refine and enhance our application in a collaborative way.”