new | ask | show | jobs
shagie 3 days ago  [ - ]

My {conspiracy | belief | suspicion} is that this was something that as part of the DoD they saw "Mitre Corporation" and that organization's relationship with MIT and were pulling funding for anything "elite liberal academia" (even distantly related) combined with the "we're pulling back from anything cybersecurity" ( https://news.ycombinator.com/item?id=43228029 ). (edit) I've run out of invocations of Hanlon's Razor and it needs a long rest before its recharged. (/edit)

I don't believe it was a mistake - they wanted to pull its funding (and still intend to do). Note the wording of the statement:

> Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.

We are now in the option period.

At some point in the future, that option period will expire.

neodymiumphish 3 days ago  [ - ]

This type of option exercise is extremely common in government contracts. I don’t think there’s much to read into on that front.

shagie 3 days ago  [ - ]

The option is common (its particulars of the award is at https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000019... ). The fact that the option needed to be done rather than DHS continuing to support CVE and related programs is an abandonment of the responsibilities of the organization to try to keep computer systems secure.

https://www.cisa.gov/news-events/directives/bod-22-01-reduci...

   A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

   Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.

   Federal agencies are required to comply with DHS-developed directives.

   ...

   Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
If there's no catalog that the government is maintaining for "these things need to be fixed to run on federal systems" ... then how do you ensure that the federal computers are secure?
snickerbockers 3 days ago  [ - ]

I would feel a lot better about my skills knowing that bigballs also had difficulty figuring out what the correct syntax for this particular engine's version of \w and how many layers of backslash escapes are needed.