Dems want watchdog study of two troubled federally-funded vulnerability tracking initiatives
Two House Democratic leaders are asking a government watchdog to dig into two federally-funded initiatives to catalog software flaws and vulnerability data in light of their recent troubles.
Mississippi Rep. Bennie Thompson, the top Democrat on the Homeland Security Committee, and California Rep. Zoe Lofgren, who serves as top Democrat on the Science and Technology panel, want the Government Accountability Office to study the effectiveness of the Common Vulnerabilities and Exposures (CVE) program — funded by the Cybersecurity and Infrastructure Security Agency — and the National Vulnerability Database (NVD) — housed at the National Institute of Standards and Technology.
The CVE program publishes standardized information about known cyber vulnerabilities, while the NVD is a storehouse for vulnerability management data. “Together, these programs underpin how organizations across the world mitigate vulnerabilities that could otherwise be exploited by malicious actors and carry out their broader cybersecurity programs,” Thompson and Lofgren wrote in their June 6 letter, which they announced Wednesday.
“Both the CVE program and the NVD program have faced significant challenges in recent years. In early 2024, funding challenges at NIST resulted in a backlog of thousands of vulnerabilities in the NVD, a backlog that persists to this day,” the pair wrote. “Further, a recent near-lapse of CISA’s contract supporting the CVE program brought to light the security community’s reliance on this program and the need to ensure its continuity.
“Given the programs’ important role in ensuring our nation’s cybersecurity, we request that the Government Accountability Office conduct a study of the federal programs designed to support vulnerability management for discovered vulnerabilities and weaknesses in information technology systems,” they continued.
They also want GAO to study the NIST and Department of Homeland Security support for both programs, as well as how much both governmental and non-governmental organizations rely on the two initiatives.
The Department of Commerce inspector general indicated last month that it would conduct an audit of the NVD program, where the backlog has reportedly persisted. In an op-ed for CyberScoop, Brad LaPorte, chief marketing officer at Morphisec, argued that the funding woes for the CVE program was “a wake-up call for an industry that has relied on CVEs for years to identify, categorize, and prioritize vulnerabilities.”
The CVE program made headlines in April when a last-minute funding reprieve from the Department of Homeland Security saved it from ceasing operations. In response, multiple new organizations have been established to ensure that vulnerability cataloging is less reliant on a single source of funding.
The Trump administration, which has disagreed with a number of GAO study conclusions and resisted some of its inquiries, recently tried to install Department of Government Efficiency officials at the GAO, but was rebuffed as the GAO is a legislative rather than executive branch agency. Still, the two entities haven’t been completely at odds.
