{"id":199569,"date":"2026-03-26T20:18:00","date_gmt":"2026-03-27T00:18:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/26\/eu-wants-to-support-bedrock-cyber-vulnerability-program-top-official-says\/"},"modified":"2026-03-27T01:30:12","modified_gmt":"2026-03-27T05:30:12","slug":"eu-wants-to-support-bedrock-cyber-vulnerability-program-top-official-says","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/26\/eu-wants-to-support-bedrock-cyber-vulnerability-program-top-official-says\/","title":{"rendered":"EU wants to support bedrock cyber vulnerability program, top official says"},"content":{"rendered":"<p><a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2026\/03\/eu-wants-support-bedrock-cyber-vulnerability-program-top-official-says\/412429\/?orefu003dng-homepage-river\">EU wants to support bedrock cyber vulnerability program, top official says<\/a><\/p>\n<p><a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2026\/03\/eu-wants-support-bedrock-cyber-vulnerability-program-top-official-says\/412429\/?orefu003dng-homepage-river\">https:\/\/www.nextgov.com\/cybersecurity\/2026\/03\/eu-wants-support-bedrock-cyber-vulnerability-program-top-official-says\/412429\/?orefu003dng-homepage-river<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-26 20:18:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.nextgov.com\">www.nextgov.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\nSAN FRANCISCO \u2014 The European Union wants to assist with and help modernize a cornerstone cyber cataloging program after a contracting scare last year prompted renewed discussions and concerns over how to sustain the vulnerability-tracking system relied upon by hundreds of thousands of security practitioners worldwide.The Common Vulnerabilities and Exposures Program faced a contracting fiasco last spring when MITRE, the non-profit research giant that funds much of the program\u2019s functions, warned of an imminent end to federal backing for the project. The matter was addressed within hours amid outcry from the cybersecurity community.The EU wants to help \u201cbuild upon\u201d the foundation of the program and \u201cthe great work that has been done there,\u201d Hans de Vries, the chief cybersecurity and operational officer for the European Union Agency for Cybersecurity, or ENISA, said Thursday at the RSAC Conference in California.\u00a0After the initial contracting issue, EU member states asked ENISA to explore ways to strengthen the CVE process, de Vries explained.\u00a0\u201cWe cannot build on one contract alone, so we have to strengthen it, and make sure that foundation, that basic mechanism \u2014 and it\u2019s a huge program \u2014 but that mechanism stays, and stays to the core that we want to build on,\u201d he said.CVE provides a standardized methodology for identifying and cataloging publicly known cybersecurity vulnerabilities. Each flaw is assigned a unique identifier, designed to help security researchers, vendors and officials more effectively communicate about the same issue. It was first launched in 1999.The remarks from de Vries are some of the first showing how European officials are weighing a more formal role in contributing to the CVE program, amid growing concerns that its long-term stability cannot rely on a sole U.S. government contract.Congressional staffers have also drafted legislation to codify the CVE program and address how the Cybersecurity and Infrastructure Security Agency would take a more active oversight role in its management, said Moira Bergin, who leads cyber policy work for the Democrat side of the House Homeland Security Committee.\u201cWhile CISA is certainly authorized to execute this program, it\u2019s not specifically tasked with doing it, which, as an oversight committee, makes it harder for us to hold an agency accountable for executing a task,\u201d she said. \u201cAnd it doesn&#8217;t give any of the stakeholders any expectation of what they can expect from the program and hold it accountable for.\u201dA newer version of the program managed under CISA should also \u201cendure political cycles,\u201d said Mike McLaughlin, a shareholder and Cybersecurity and Data Privacy Practice Group co-lead at Buchanan Ingersoll &#038; Rooney PC, arguing that if CVE is housed in CISA but is perceived as politicized or fragile, other regions will fragment off and force competing programs to emerge.Bergin said that, in the draft text, staffers are seeking to \u201cinoculate the [CVE] board membership from political cycles\u201d so those risks are diminished.The discussion also came amid growing recognition among industry practitioners that AI has now become a core tool in hackers\u2019 arsenals that can accelerate the speed and scale of cyberattacks.On a regular basis, some people \u201cseem to think that CVE records should be just read by humans,\u201d said Bob Lord, a former Cybersecurity and Infrastructure Security Agency official who helped lead the agency\u2019s Secure by Design initiative.In the CVE program, a vulnerability record is created when a flaw is first published, while later \u201cenrichment\u201d can add details such as severity and exploitability. But as cyberattacks now move at machine speed, many experts argue those records need to be far more complete upfront, because waiting to fill in the gaps can leave defenders exposed.\u201cWhile there certainly is a component where humans should be able to go in and look at CVE and understand what\u2019s in there, what we really need to do is start making sure that we have high-quality records,\u201d said Lord, referring to individual vulnerability entries. \u201cToday, we\u2019re going to really need to talk a lot more about record quality at the time of issuance, not enrichment later, but at the time of issuance.\u201dA CISA spokesperson told Nextgov\/FCW that a \u201cbroad internal contracting review caused a brief renewal delay in April 2025, but operations continued without disruption and MITRE was ultimately retained as the program operator.\u201d CISA and the Department of Homeland Security have since \u201ctaken proactive contracting steps to maintain MITRE\u2019s support, ensure stable global vulnerability tracking and expand its usage,\u201d the spokesperson added.\u201cMITRE, in support of CISA, is committed to CVE as a critical global resource,\u201d Jordan Graham, a company spokesperson said.Today, everyone uses CVE identifiers as a common vernacular, said McLaughlin. If it disappears, vendors and defenders can\u2019t easily tell if they\u2019re talking about the same bug, and regulators and service providers lose a shared reference system.\u201cI think if the program were to go away, you\u2019d have fragmentation, which leads to inefficiency, which leads to less security,\u201d Bergin said. \u201cAnd when we make the case to our members that this is something that they should take their time with, that\u2019s what we say: fragmentation, inefficiency, less security \u2014 it\u2019s that simple.\u201d<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>EU wants to support bedrock cyber vulnerability program, top official says https:\/\/www.nextgov.com\/cybersecurity\/2026\/03\/eu-wants-support-bedrock-cyber-vulnerability-program-top-official-says\/412429\/?orefu003dng-homepage-river Publish Date: 2026-03-26&#8230;<\/p>\n","protected":false},"author":1,"featured_media":199570,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.nextgov.com\/media\/img\/cd\/2026\/03\/26\/032626panelNG\/open-graph.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,27],"class_list":["post-199569","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199569"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=199569"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199569\/revisions"}],"predecessor-version":[{"id":199571,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199569\/revisions\/199571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/199570"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=199569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=199569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=199569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}