CVE Program Takes Heat from Republican Lawmakers

CVE programRepublican leaders of the House Energy and Commerce Committee are calling for changes to the CVE program, which provides common identifiers for known cybersecurity vulnerabilities.

Common Vulnerabilities and Exposures (CVE) program is sponsored by the Department of Homeland Security (DHS) under contract with MITRE.

The lawmakers want DHS to transition the CVE program from a contract-based funding model to a cost-neutral dedicated program, project, or activity line item in the department’s annual budget. In addition, they want DHS and MITRE to perform biennial reviews of the program’s stability and effectiveness.

CVE Is Critical Cyber Infrastructure

“The CVE program has become inextricably integrated with cybersecurity practices during its nearly 20-year existence. Yet the documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyber infrastructure,” wrote Energy and Commerce Committee Chairman Greg Walden (R-OR), Oversight and Investigations Subcommittee Chairman Gregg Harper (R-MS), Communications and Technology Subcommittee Chairman Marsha Blackburn (R-TN), and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-OH) in letters to DHS and MITRE.

“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society,” the lawmakers noted.

“The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request. However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes – the contract-based nature of the program and the lack of oversight – which have yet to be addressed. For DHS and MITRE to address these deep-seated issues, they will have to make significant changes to the very foundation of the CVE program.”

The committee gave DHS and MITRE until September 10 to respond to the lawmakers’ recommended changes.