‘Stupid and Dangerous': CISA Funding Chaos Threatens Essential Cybersecurity Program
The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA's funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. 'The CVE Program is invaluable to the cyber community and a priority of CISA,' they said in a statement. 'Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience.'
MITRE's vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that, 'CISA identified incremental funding to keep the Programs operational.' With the clock ticking down before this decision came out, though, some members of the CVE Program's board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation.
'Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,' the Foundation wrote in a statement. 'This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.'
It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment.
CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration.
Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn't suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn't reliant on funding from any one government or other single source.
'The CVE Program is critical and it's in everyone's interest that it succeed," says Patrick Garrity, a security researcher at VulnCheck. 'Nearly every organization and every security tool is dependent on this information and it's not just the US, it's consumed globally. So it's really, really important that it continues to be a community-provided service and we need to figure out what to do about this because losing it would be a risk to everyone.'
Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone.
Despite CISA's last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: 'It's all so stupid and dangerous.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Wire
a day ago
- Business Wire
AppOmni SaaS Security Platform Achieves FedRAMP® Authority To Operate
SAN MATEO, Calif.--(BUSINESS WIRE)-- AppOmni, the leader in SaaS security, officially announced its SaaS Security Platform has been granted Federal Risk and Authorization Management Program (FedRAMP) Moderate Authority to Operate (ATO). This milestone validates AppOmni's position as a trusted partner to the public sector and reinforces the company's commitment to meeting the highest cybersecurity and compliance standards required by the U.S. government. With the CISA issuing a new binding directive (BOD 25-01) on the use of SaaS applications to federal civilian agencies, AppOmni's FedRAMP ATO means agencies can confidently adopt AppOmni's SaaS Security Platform to secure their SaaS ecosystem, meet critical compliance requirements, and optimize data protection across multiple platforms. #SaaS security leader @AppOmniSecurity is granted #FedRAMP Moderate Authority to Operate, reinforcing its commitment to meeting the highest #cybersecurity and compliance standards required by the U.S. government Share What Is FedRAMP and Why Does It Matter to Federal Agencies? FedRAMP was established in 2011 to promote the adoption of secure cloud services at scale for the U.S. government. It provides a common security framework for all government agencies. Once a cloud security service meets the baseline requirements and is authorized, it can be used by any federal agency. The program increases efficiencies, reduces costs, and encourages innovation through the cultivation of public-private partnerships. FedRAMP authorization represents the highest bar for security certifications, ensuring the most rigorous security standards are met. Moderate ATO certification requires 325 distinct security controls to be satisfied. Why SaaS Security Is Critical for Federal Agencies For federal agencies, Software-as-a-Service (SaaS) platforms are essential for managing mission-critical data. Data residency and protection for data such as Controlled Unclassified Information (CUI), Personally Identifiable Information (PII) and Protected Health Information (PHI) is paramount within SaaS applications. Because the information is unclassified, yet still sensitive, mishandling it can lead to loss of trust and even legal penalties (e.g., under DFARS for DoD contractors). With Moderate ATO, AppOmni demonstrates that data-at-rest and data-in-transit protections meet federal encryption, key management, and FIPS standards. AppOmni Exceeds FedRAMP Standards with Advanced SaaS Security Capabilities AppOmni goes beyond FedRAMP by providing continuous monitoring, threat detection, and integration with compliance frameworks like FISMA and NIST SP 800-53. Its cross-platform approach addresses misconfigurations, data access risks, and compliance gaps, providing federal agencies with the security tools necessary to confidently adopt SaaS technologies. At this time, there are no other pure play SaaS Security Posture Management (SSPM) solutions with FedRAMP® Moderate ATO in the market. How AppOmni Supports Federal SaaS Security and Resilience 'Achieving FedRAMP Moderate ATO is a landmark accomplishment, not just for AppOmni, but for the federal government's SaaS security posture,' said Cory Michal, CISO at AppOmni. 'Federal agencies are prime targets for sophisticated cyberattacks, and they require an in-depth level of SaaS security that legacy systems can't provide. AppOmni enables unparalleled visibility and continuous monitoring across the entire SaaS ecosystem, protecting the very fabric of government operations. This authorization underscores our philosophy that secure cloud adoption should empower government agencies and enterprise organizations, not burden them with risk. AppOmni is dedicated to helping agencies protect their most critical data and applications from evolving threats and simplifying the procurement process.' Combatting OAuth2 Token Threats in Government SaaS Applications The cyber threat landscape for government agencies is increasingly perilous. Recently, cybercriminal group Salt Typhoon has been seen infiltrating government M365 applications using stolen OAuth2 tokens – the digital credentials that grant third-party applications access to user resources without passwords. This type of supply chain attack highlights the systemic SaaS risks that leaders are urging the industry to address, as JPMC CISO Pat Opet called for at this year's RSA Conference. With a Moderate ATO, AppOmni is answering that call. The ATO also comes at a critical time as federal agencies work to comply with the Cybersecurity and Infrastructure Security Agency's (CISA) Binding Operational Directive (BOD) 25-01. The deadline for implementing mandatory Secure Cloud Business Applications (SCuBA) policies was June 20, 2025. AppOmni is a FedRAMP ATO designated SaaS security platform providing M365 SCuBA compliance checks. Agencies can complete compliance checks and meet 50+ directives for Microsoft AAD (Entra ID), SharePoint, Exchange Online, and Teams applications out of the box. Agencies can access a complimentary SCuBA compliance assessment to simplify policy alignment with instant visibility for actionable insights into SaaS security risks, secure baselines to protect sensitive data with aligned configurations and maintain continuous, ongoing compliance with CISA's directive. Learn more about how AppOmni delivers visibility, control, and compliance for SaaS applications, enabling government teams to protect sensitive data, meet stringent security frameworks, and streamline compliance reporting without disrupting operations. About AppOmni AppOmni is the leader in SaaS Security and enables customers to achieve secure productivity with their SaaS applications. With AppOmni, security teams and SaaS application owners can quickly secure their mission-critical and sensitive data from attackers and insider threats. The AppOmni Platform continuously scans SaaS APIs, configurations, and ingested audit logs to deliver complete data access visibility, secure identities and SaaS-to-SaaS connections, detect threats, prioritize insights, and simplify compliance reporting. AppOmni provides unmatched depth and scalability across a diverse range of SaaS environments and serves the largest Fortune 500, fast-growing companies, and global enterprises across industries. Visit follow @AppOmni on LinkedIn, and watch SaaS security videos on YouTube.
Forbes
5 days ago
- Forbes
Stop Using These Passwords Following FBI 2FA Bypass Warning
Following FBI warnings of 2FA bypass, password alerts have now emerged. FBI warnings concerning the Scattered Spider collective, behind ransomware attacks on the retail, insurance, and most recently, aviation sectors, have now become an alarming reality. Qantas has confirmed a significant cyber incident, involving a third-party supplier, has potentially impacted the data of some six million customers. 2FA bypass is common currency for Scattered Spider and other threat actors, and the FBI report has confirmed this. But maybe now it's time to also look at how poorly every sector, including consumers, manages passwords. TL;DR, dear reader, the answer is very poorly indeed. Here are the passwords that nobody should be using. FBI And CISA Password Advice Is Being Ignored Let's get one thing straight here: password management is not a difficult thing. It would seem, however, that getting the basics of password creation and use is. That's the only reason I can come up with as to why so many people, corporate, within industry sectors and consumers, are failing to do it properly. Well, there's another reason, but I'm too polite to mention it here; I'm sure you can guess what it is. The point is that, as evidenced by an updated study by NordPass, weak and downright dangerous passwords are still being used long past their expiration date. Although Scattered Spider focuses attention on bypassing 2FA protections using social engineering means to persuade IT help desks to 'add unauthorized MFA devices to compromised accounts,' it is not the only weapon in its arsenal. All ransomware groups will look to the weakest link, the easiest protection to break, when it comes to initial access. And that, as you likely will have guessed, means login credentials. The NordPass study revealed what many in the cybersecurity field already knew: weak passwords, reused passwords, and passwords that are, frankly, totally unfit for consumption, are common across most all industry sectors. Considering the Scattered Spider attacks on aviation, let's focus on the transportation sector as an example. 'The transportation and logistics industry is a critical part of global infrastructure,' Karolis Arbaciauskas, head of business product at NordPass, said, 'but the cybersecurity basics are being ignored.' Those basics can be found in this Cybersecurity and Infrastructure Security Agency advisory, compiled with the assistance of the FBI, covering the tactics, techniques and procedures used by the Scattered Spider threat group. You Should Never Use These Passwords. Period. You only have to look at the most common list for this sector, included on the report page previously linked to, and you will see what Arbaciauskas is referring to. It is peppered with such password atrocities as 123456, Dell, 12345678, password, 111111, 1234, 123456789 and qwerty. I could go, but I won't: go and see for yourself. Or you might want to take a look at this list of dangerous passwords I have compiled from NordPass and other research. 'Weak credentials put customer data, delivery routes, and operational continuity at risk,' Arbaciauskas said, adding that 'Fixing password practices is a fast, effective way to avoid delays caused by data breaches or operational downtime.' The FBI has warned you, CISA has advised you, cybersecurity professionals have shown you the dangers, so when are you going to stop using those easily hacked passwords and start taking credential security seriously? Better yet, when are you going to change to passkeys, which are way more secure?
Forbes
02-07-2025
- Forbes
Google Chrome Warning—Update Or Stop Using Browser By July 23
Google confirms attacks on Chrome are underway. Google has confirmed that Chrome is under attack again, and has issued another emergency update for all users following the mandatory 'configuration change' it pushed out last week. Whatever device you're running, you need to ensure you have downloaded the latest software and then you need to restart your browser. As I suggested would happen, America's cyber defence agency has now mandated federal employees update or stop using Chrome within 3 weeks, on or before July 23. The warning also applies to Microsoft Edge and other Chromium-based browsers. CISA warns that Chrome's V8 Javascript engine 'contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page.' That means just visiting the wrong website could put you at risk. In confirming CVE-2025-6554, Google explained that it would not release any further details at this time, 'until a majority of users are updated with a fix.' But the fact it was discovered by Google's own Threat Analysis Group just five days before the fix was released — with a config change even faster than that — tells you how urgent this is. The assumption is that this will have been found in highly targeted attacks, the kind that use specialized websites to lure specific victims or links and other social media, email or text messages to deploy its attacks. But the fact this is now public domain and being fixed means the risks are high as attackers deployments before it's too late. This is the fourth actively exploited zero-day this year, and it highlights how important it is to keep all browsers updated at all times. While CISA's mandate only applies to federal agency staff, its remit extends to all organizations to help them 'better manage vulnerabilities and keep pace with threat activity.' You will see a flag within Chrome telling you an update has been downloaded and you need to restart. All your tabs should reopen, albeit your Incognito private browsing tabs will not. So make sure there's nothing unsaved in any of those. Following Google's warning that it's 'aware that an exploit for CVE-2025-6554 exists in the wild," we can expect more detail on the vulnerability over the coming weeks.
