MITRE’s Federal Contract Expires Today: Global Cybersecurity at Risk
US-based nonprofit corporation MITRE announced on Tuesday, April 15, that a looming service disruption could impact the global cybersecurity landscape.
In a letter addressed to its board members that was leaked on the decentralized social media platform Bluesky, MITRE Vice President and Director of the Center for Securing the Homeland Yosry Barsoum said that its federal contract is set to expire today, April 16.
The contract allows the organization to operate, develop, and modernize its highly regarded Common Vulnerabilities and Exposures (CVE) repository. This helps identify, catalog, and share known cybersecurity threats to keep systems and data secure.
The letter didn't specify the reason for the contract's expiry. However, it could be related to the US government's cost-cutting measures led by Elon Musk's Department of Government Agency.
This impacts sectors like the Cybersecurity and Infrastructure Security Agency's (CISA) budget, which is the MITRE CVE program's primary sponsor. The budget cut may also explain MITRE's announcement that it will cut 442 jobs effective June 3.
Established in 1999, the CVE system is a cornerstone of cybersecurity as we know it, enabling governments, researchers, and organizations worldwide to identify, track, and patch security threats efficiently.
It was pivotal in tracking some of the biggest cyber threats in history, including the ransomware WannaCry and SolarWinds Sunburst, a cyberattack on the US federal government.
Without funding, the program's ability to operate would be severely compromised, potentially causing widespread global consequences.
If CVE is not picked up by anyone else, sharing threat intelligence and developing critical security patches would slow down significantly.
This gap could be exploited by bad actors, from individual hackers to state-sponsored groups, thus increasing the risk of successful cyberattacks.
It would also complicate the coordination between different entities. Security researcher Lukasz Olejnik said on X that:
This would result in a situation where no one will be certain they are referring to the same vulnerability. Total chaos, and a sudden weakening of cybersecurity across the board." - Lukasz Olejnik via X
This development could also harm US national security on an even broader scale. The reduction in CISA's budget will impact MITER and the agency's ability to provide adequate cybersecurity and infrastructure protection. Like MITRE, CISA is set to cut its workforce, which may impact 1300 people.
What's Next for MITRE's CVE ProgramWhile Barsoum added that the 'government continues to make considerable efforts to continue MITRE's role in support of the program,' it's uncertain how long this will last.
Not all is lost, though. If the program goes offline, its historical CVE records will still be available on GitHub. Plus, a global network of CVE Numbering Authorities (CNA) can continue to assign vulnerabilities with CVE IDs and publish CVE records.
These CNAs include tech giants Apple, Google, and Microsoft which regularly issue CVE IDs and deploy patches. Despite that, MITRE's central role in the CVE program cannot be dismissed entirely.
In a LinkedIn post, Patrick Garrity, a security researcher at cybersecurity intelligence platform VulnCheck, also revealed that it has proactively reserved 1,000 CVEs for 2025 in response to the uncertainty at MITRE. Garrity commented that:
VulnCheck is closely monitoring the situation to ensure that both the community and our customers continue to receive timely, accurate vulnerability data,"
The post MITRE's Federal Contract Expires Today: Global Cybersecurity at Risk appeared first on Techreport.