House panel rips CVE contracting and oversight policies

The industrywide program for documenting hardware and software vulnerabilities suffers from fluctuating funding and insufficient oversight, according to a more than yearlong investigation by the House Energy and Commerce Committee.

“The historical practices for managing the … program are clearly insufficient,” members of the committee wrote in letters Monday to the Department of Homeland Security, which sponsors the program, and the not-for-profit MITRE Corp., which maintains it. “Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society.”

The program in question, the Common Vulnerabilities and Exposures (CVE) database, has for nearly two decades been a common lexicon for researchers and companies that document security flaws. But the program has experienced a significant backlog as some researchers have struggled to get a response to their submissions.

MITRE has undertaken reforms of the program, but House lawmakers say the “root causes” of the program’s woes – its lack of oversight and its reliance on piecemeal contracting – have “yet to be addressed.”

The lawmakers, which include committee Chairman Greg Walden, R-Ore., want DHS to give the CVE program a dedicated line item in the department’s annual budget rather than the haphazard funding they say the program currently receives. Over seven years, the contracting vehicle for the CVE program was awarded or modified 30 times, according to the House panel.

“Funding this key cybersecurity program through piecemeal, short-term contracts does it a disservice,” the committee members wrote. “The documentation provided by DHS and MITRE shows that the CVE contract vehicle is both unstable and prone to acute fluctuations in schedule and funding.”

In an effort to keep pace with cyberthreats, the lawmakers also want DHS and MITRE to conduct more rigorous oversight of the CVE program through biennial reviews. “The failure to conduct systematic reviews of the CVE program on a regular basis has allowed small problems to fester and morph into the kind of entrenched problems that the committee highlighted in its first letter” to the organizations in 2017, they wrote.

The lawmakers have requested briefings from DHS and MITRE on the CVE program within the next two weeks.

CyberScoop has requested comment from MITRE and will update this story if it is received.

You can read the full letters below.

[documentcloud url=”http://www.documentcloud.org/documents/4788036-082718-DHS-Recommendations-for-CVE-Program.html” responsive=true height=500]

[documentcloud url=”http://www.documentcloud.org/documents/4788035-082718-MITRE-Recommendations-for-CVE-Program-1.html” responsive=true height=500]