The ranking members of two House committees are calling on the U.S. government to outline the way its cybersecurity programs operate.In a letter to chairman Gene Dodaro, comptroller of the United States Government Accountability Office, the House Democrats asked for a full assessment of the National Vulnerability Database (NVD) by the National Institute of Standards and Technology (NIST) and the Common Vulnerabilities and Exposures (CVE) system by the Cybersecurity and Infrastructure Security Agency (CISA).In particular, the ranking members of the House Committee on Homeland Security and the Committee on Science, Space and Technology, are seeking an explanation as to how well the NVD and CVE systems are operating in terms of alerting organizations to impending security threats and helping them mitigate potential vulnerabilities.“NIST scientists assign severity scores to CVE vulnerabilities and ensure the information is usable by the community at large,” wrote Reps. Bennie Thompson, D-Miss., and Zoe Lofgren, D-Calif.“Together, these programs underpin how organizations across the world mitigate vulnerabilities that could otherwise be exploited by malicious actors and carry out their broader cybersecurity programs.”The request comes after the CVE system and its funding via the MITRE organization was threatened due to lack of contract renewal.“A recent near-lapse of CISA’s contract supporting the CVE program brought to light the security community’s reliance on this program and the need to ensure its continuity,” the representatives said in their letter.“Given the programs’ important role in ensuring our nation’s cybersecurity, we request that the Government Accountability Office conduct a study of the federal programs designed to support vulnerability management for discovered vulnerabilities and weaknesses in information technology systems.”Those cuts were averted via a last-minute funding push from CISA, but the long-term future of the program is still in limbo as Congress wrestles with a national budget plan and the prioritization of cybersecurity programs. In the meantime, cybersecurity authorities in the EU have set up their own contingency plan in case the U.S. government drops the ball on vulnerability classification and management.That appears to be the aim of the letter from congressional Democrats. By asking the agencies to provide an inventory of what they do on a daily basis and how their work affects both the public and private sector, it is hoped that a case will be made to secure long-term funding.“As the Government Accountability Office has reported for decades, cybersecurity remains one of the greatest challenges facing our nation,” the letter reads.“As we have become more reliant on technology and digital infrastructure, the number of discovered vulnerabilities has exponentially increased.”
