Democratic members of the House Homeland Security Committee have asked the U.S. Government Accountability Office (GAO) to review federal cybersecurity programs that support vulnerability management. The request specifically calls for an assessment of the effectiveness of the Cybersecurity and Infrastructure Security Agency’s (CISA) Common Vulnerabilities and Exposures (CVE) program and the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD).
In a letter to Gene Dodaro, Comptroller General of the GAO, Bennie G. Thompson, a Democrat from Mississippi and ranking member of the Committee on Homeland Security, and Zoe Lofgren, a Democrat from California and ranking member of the Committee on Science, Space and Technology, identified that the CVE program and the NVD program have faced significant challenges in recent years.
“In early 2024, funding challenges at NIST resulted in a backlog of thousands of vulnerabilities in the NVD, a backlog that persists to this day. Further, a recent near-lapse of CISA’s contract supporting the CVE program brought to light the security community’s reliance on this program and the need to ensure its continuity,” the members noted. “Given the programs’ important role in ensuring our nation’s cybersecurity, we request that the Government Accountability Office conduct a study of the federal programs designed to support vulnerability management for discovered vulnerabilities and weaknesses in information technology systems.”
The members specifically asked the GAO to assess the efficiency and effectiveness of the NIST programs that support the creation and publication of standards-based vulnerability management data, including the NVD. They also requested an evaluation of the CVE program, including the Department of Homeland Security’s role in supporting it.
In addition, the lawmakers want the GAO to examine how much government and non-government entities rely on the NVD and CVE programs.
Last month, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing on reauthorizing the Cybersecurity Information Sharing Act ahead of its 2025 expiration. Democratic lawmakers focused on the law’s role in enabling collaboration between the government and private sector to defend against cyber threats. Originally passed in 2015, the Act marked a major shift in how threat intelligence is shared to support national cybersecurity.
