Following a committee investigation that lasted more than a year, Republican leaders on the House Energy and Commerce Committee have asked the Department of Homeland Security and one of its contractors to reform a database that includes a list of publicly disclosed cyber security vulnerabilities and exposures.
The legislators recommend in separate letters that the contract for the Common Vulnerabilities and Exposures (CVE) program transition from “piecemeal, short-term contract” to a dedicated line item within the DHS budget, and that it be subject to biennial reviews by DHS and MITRE Corp., which has managed the program since it began in 1999.
“The CVE program has become inextricably integrated with cybersecurity practices during its nearly 20-year existence,” said the identical letters to Homeland Security Secretary Kirstjen Nielsen and Jason Providakes, president and CEO of MITRE. “Yet the documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyber infrastructure. Instead, both organizations continued to manage and fund the program through a series of contracts which themselves were unstable. This approach was perhaps to be expected given that neither organization, according to produced documentation, performed the level of oversight needed to ensure the program continued to fulfill its purpose and stakeholder needs.”
The Aug. 27 letters said from 2012 to 2015 funding for CVE declined on average by 37 percent year over year and then in 2016 it increased by 139 percent. Program funding was $6.7 million in 2012 and dropped to $1.7 million in 2015 before ratcheting up to $4 million in 2016.
This funding is “unstable and prone to acute fluctuations,” write Greg Walden (Ore.), chairman of the committee, Gregg Harper (Miss.), chairman of the Oversight and Investigations Subcommittee, Marsha Blackburn (Tenn.), chairman of the Communications and Technology panel, and Bob Latta (Ohio), chairman of the Digital Commerce and Consumer Protection Subcommittee.
The letters also said that a request for copies of analyses done on the program by either DHS or MITRE showed that there were no “in-depth or root-cause analyses that would help guide the program forward.”
The committee’s investigation was spawned by media reports in 2016 that “requests for CVE numbers for vulnerabilities reported to MITRE either were taking several weeks or months to process, or were going unanswered,” the letters said.