This type of option exercise is extremely common in government contracts. I don’t think there’s much to read into on that front.

The option is common (its particulars of the award is at https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000019... ). The fact that the option needed to be done rather than DHS continuing to support CVE and related programs is an abandonment of the responsibilities of the organization to try to keep computer systems secure.

https://www.cisa.gov/news-events/directives/bod-22-01-reduci...

   A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

   Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.

   Federal agencies are required to comply with DHS-developed directives.

   ...

   Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.