After opening an investigation last year into the Common Vulnerabilities and Exposures (CVE) program, Energy and Commerce Committee Chairman Greg Walden (R-Ore.), Oversight and Investigations Subcommittee Chairman Gregg Harper (R-Miss.), Communications and Technology Subcommittee Chairman Marsha Blackburn (R-Tenn.), and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-Ohio) sent follow-up letters today to the Department of Homeland Security and MITRE Corporation.
In both letters, members recommend two reforms to the program: that DHS transition it from a contract-based funding model to a cost-neutral dedicated Program, Project, or Activity line item in the department’s annual budget, and that DHS and MITRE perform biennial reviews to ensure the program’s stability and effectiveness. The letters also discuss the documents produced to the committee in response to its initial investigation.
“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society. The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request,” wrote Walden, Harper, Blackburn, and Latta.
The letter continues, “However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes – the contract-based nature of the program and the lack of oversight – which have yet to be addressed. For DHS and MITRE to address these deep-seated issues, they will have to make significant changes to the very foundation of the CVE program.”