Do Son 
Two Democratic lawmakers in Congress have formally called upon the U.S. Government Accountability Office (GAO) to conduct a comprehensive review of the Common Vulnerabilities and Exposures (CVE) program. This request comes in response to a halted stream of federal funding and the looming threats to the broader cybersecurity ecosystem that relies heavily on this foundational infrastructure.
Representatives Thompson and Zoe Lofgren addressed a letter to Comptroller General Eugene Dodaro, expressing deep concern that the suspension of funding could cripple the transmission of vital cybersecurity threat intelligence—data upon which both the private sector and government agencies critically depend.
Federal support for the CVE program lapsed in April 2025. Although the Cybersecurity and Infrastructure Security Agency (CISA) intervened with an emergency allocation sufficient for an 11-month reprieve, the program’s long-term sustainability remains uncertain. Against this backdrop, the lawmakers have called for a thorough evaluation of all federal initiatives that underpin CVE and the National Vulnerability Database (NVD).
The letter pays particular attention to interagency coordination, especially between the Department of Homeland Security (which houses CISA) and the National Institute of Standards and Technology (NIST), the entity tasked with maintaining vulnerability databases. The authors emphasize that initiatives like CVE serve as keystones in global efforts to mitigate cyber risk. Without systems that facilitate timely discovery and dissemination of vulnerability information, both corporate entities and public institutions are left exposed to escalating threats.
Meanwhile, CISA itself faces internal turmoil. The agency is undergoing a wave of staff resignations, including the departure of several senior officials in recent months. These losses have coincided with a broader fiscal crisis, exacerbated by the Trump administration’s proposal to implement sweeping budget cuts to the agency.
The CVE situation is not merely a technical dilemma—it is a barometer of the federal government’s posture toward cybersecurity at large. The continued existence and reliable operation of this program are essential not only to IT enterprises but also to the safeguarding of the nation’s critical infrastructure. Should political gridlock and administrative instability continue to jeopardize its future, a perilous void may emerge within the global vulnerability response ecosystem.
Donate