The U.S. National Institute of Standards and Technology (NIST) has taken a big step to address the growing backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). The institute has hired an external contractor to contribute additional processing support in its operations.
The contractor hasn’t been named, but NIST said it expects that the move will allow it to return to normal processing rates within the next few months.
Clearing the National Vulnerability Database Backlog
NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts.
“We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months,” the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. “We anticipate that this backlog will be cleared by the end of the fiscal year,” the NIST stated.
In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes.
Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance,” the institute said.
NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, “NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation.”
CISA’s ‘Vulnrichment’ Initiative
In response to the growing NVD backlog at NIST, CISA had launched its own initiative called “Vulnrichment” to help enrich the public CVE records. CISA’s Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST’s analysts.
CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort.
By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. “For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so,” the agency explained.
As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
