House panel rips CVE contracting and oversight policies

The industry-wide program for naming and documenting vulnerabilities suffers from fluctuating funding and insufficient oversight, according to a House panel.
Tim Rudolph, Air Force Life Cycle Management Center chief technology officer, moderates a panel discussion titled "It's Raining Data Centers" at the MITRE Corporation complex in Bedford, Mass., in 2014. MITRE is under pressure from Congress to change the way it handles the CVE process. (U.S. Air Force / Jerry Saslav)

The industrywide program for documenting hardware and software vulnerabilities suffers from fluctuating funding and insufficient oversight, according to a more than yearlong investigation by the House Energy and Commerce Committee.

“The historical practices for managing the … program are clearly insufficient,” members of the committee wrote in letters Monday to the Department of Homeland Security, which sponsors the program, and the not-for-profit MITRE Corp., which maintains it. “Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society.”

The program in question, the Common Vulnerabilities and Exposures (CVE) database, has for nearly two decades been a common lexicon for researchers and companies that document security flaws. But the program has experienced a significant backlog as some researchers have struggled to get a response to their submissions.

MITRE has undertaken reforms of the program, but House lawmakers say the “root causes” of the program’s woes – its lack of oversight and its reliance on piecemeal contracting – have “yet to be addressed.”


The lawmakers, which include committee Chairman Greg Walden, R-Ore., want DHS to give the CVE program a dedicated line item in the department’s annual budget rather than the haphazard funding they say the program currently receives. Over seven years, the contracting vehicle for the CVE program was awarded or modified 30 times, according to the House panel.

“Funding this key cybersecurity program through piecemeal, short-term contracts does it a disservice,” the committee members wrote. “The documentation provided by DHS and MITRE shows that the CVE contract vehicle is both unstable and prone to acute fluctuations in schedule and funding.”

In an effort to keep pace with cyberthreats, the lawmakers also want DHS and MITRE to conduct more rigorous oversight of the CVE program through biennial reviews. “The failure to conduct systematic reviews of the CVE program on a regular basis has allowed small problems to fester and morph into the kind of entrenched problems that the committee highlighted in its first letter” to the organizations in 2017, they wrote.

The lawmakers have requested briefings from DHS and MITRE on the CVE program within the next two weeks.

CyberScoop has requested comment from MITRE and will update this story if it is received.


You can read the full letters below.

[documentcloud url=”” responsive=true height=500]

[documentcloud url=”” responsive=true height=500]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts