NDAA amendment would codify CISA control of CVE
A program that assigns the identifiers behind patch queues should not depend on whether one support contract survives spring cleaning.
TL;DR
A planned fiscal 2027 National Defense Authorization Act amendment would formally place the Common Vulnerabilities and Exposures program under the Cybersecurity and Infrastructure Security Agency, Nextgov/FCW reports. The measure would create a 15-member CVE Board and require a CISA-NIST modernization plan. Primes, agencies, assessors and security teams that build vulnerability workflows around CVE would get statutory footing for a system that MITRE’s contracting scare showed was more fragile than its ubiquity suggested.
Nextgov/FCW reports that lawmakers are preparing a fiscal 2027 National Defense Authorization Act amendment to put the Common Vulnerabilities and Exposures program formally under the Cybersecurity and Infrastructure Security Agency. The proposal would create a 15-member CVE Board to set policy and priorities, require a joint modernization plan with the National Institute of Standards and Technology, and make vulnerability enrichment part of CVE’s formal mission.
That is more than housekeeping. CVE is the naming layer underneath vulnerability management, patch prioritization, contractor risk discussions and CISA’s Known Exploited Vulnerabilities work. If a vendor advisory, agency scanner, FedRAMP package, incident report and assessor worksheet use the same CVE ID, they can at least argue about the same flaw. If that layer wobbles, everyone downstream discovers that “critical infrastructure” can mean a spreadsheet, a contract line item and a lot of assumptions.
The proposed language responds directly to last spring’s MITRE contracting scare, when the organization warned that federal backing for much of CVE’s work was about to end during a CISA contract purge. The issue was resolved within hours after public pushback, according to Nextgov/FCW, but the episode exposed the central governance problem: a global vulnerability catalog used across government, industry and research had no clear statutory protection against administrative budget pressure.
The amendment would also give Congress a cleaner oversight handle. CISA has long sponsored CVE, and the agency argued in 2025 that “there is no national cyber defense without a reliable, government-led system for vulnerability identification,” while tying CVE directly to the KEV Catalog and threat-informed defense (https://www.cisa.gov/news-events/news/mandate-mission-and-momentum-lead-cve-program-future-belongs-cisa). A statute would move that claim from agency posture into agency assignment.
The open question is whether the Senate keeps the CVE language in the final defense bill, and what happens the next time budget pressure returns. Codification can assign responsibility. It does not, by itself, appropriate discipline, staffing or urgency. For contractors and agencies, the practical gain would be stability: the identifier system their tools already depend on would be harder to endanger by accident.
Published ·Deep Fathom