Members of the House Committee on Energy and Commerce called on the Department of Homeland Security (DHS) to conduct biennial reviews and provide dedicated funding to the Common Vulnerabilities and Exposures (CVE) program after finding erratic contracts and little planning documentation. The request was made via a letter to DHS Sec. Kirstjen Nielsen on Monday.
The program was initially founded in 1999 and is currently maintained by MITRE and sponsored by the United States Computer Emergency Readiness Team (US-CERT) within DHS. CVE first attracted the committee’s attention after reports of vulnerabilities taking “several weeks or months to process, or going unanswered.” The letter, signed by Chairman Greg Walden, R-Ore., as well as Reps. Gregg Harper, R-Miss., Marsha Blackburn, R-Tenn., and Bob Latta, R-Ohio, details the results of the committee’s inquiry and their recommendations for MITRE and DHS.
In its investigation, the committee found that the contract vehicle for CVE had been awarded or modified 30 times in a seven-year period, with no consistent schedule and widely varying funding. The CVE program recognized the issues with their responsiveness before the issues went public, but the letter notes that “actions MITRE took prior to the publication of the reports were apparently insufficient to preempt or otherwise prevent these concerns from manifesting.”
The investigation into CVE left the committee “surprised by the dearth of produced analyses, timelines, and other oversight materials documenting the year-over-year health of the program.” The committee received no program analysis documents from DHS, and only three slide decks from MITRE, with the latest update in 2015.
The letter calls on DHS to transition the program from a contract-based funding model to a dedicated program, project, or activity line item in the DHS budget. “By making the program’s schedule more reliable and stabilizing its funding levels, program officials would be able to develop broader strategies to stabilize, grow, and improve the CVE program,” wrote the members of Congress.
The committee also calls on MITRE and DHS to perform biennial reviews of the CVE program. “Since the CVE program’s inception, the nature of cybersecurity threats it is meant to address has drastically evolved. So too have stakeholder’s needs. Yet the scope and mission of the CVE program have not undergone similar transformation,” the letter notes. “The documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyber infrastructure.”
The letter closes with the acknowledgement that major changes are due for CVE. “The committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the committee’s initial request. However, many of these reforms target symptoms that stem from what the committee considers to be underlying root causes–the contract-based nature of the program and the lack of oversight–which have yet to be addressed. For DHS and MITRE to address these deep-seated issues, they will have to make significant changes to the very foundation of the CVE program,” the letter states.