Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

NIST Explains Why It Failed to Clear CVE Backlog

NIST says all known exploited CVEs in the backlog have been addressed, but admitted that clearing the entire backlog by October was optimistic.

NIST

NIST on Wednesday shared an update on its progress in clearing the CVE backlog in the  National Vulnerability Database (NVD) and explained why it was not able to meet a self-imposed deadline. 

NIST revealed in February that delays should be expected in the analysis of CVE identifiers in the NVD as it was working on improving the program. 

There was a backlog of over 18,000 vulnerabilities over the next few months, but NIST announced in late May that it had awarded a contract to Analygence for additional processing support for the NVD. It also said that it expected to clear the entire backlog by the end of the fiscal year (September 30).

However, vulnerability management firm VulnCheck reported in late September that 72% of the over 18,000 CVEs had yet to be analyzed, compared to 93% on May 19. Nearly half of the known exploited vulnerabilities (KEV) had also yet to be analyzed. 

In an update shared on Wednesday, NIST said it now has a full team of analysts on board and they are able to analyze all CVEs as they come in. The agency said the entire KEV backlog has been addressed.

However, NIST admitted that its initial estimate of September 30 for clearing the entire backlog was optimistic.

“This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance,” the agency explained. “To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently.”

NIST has not shared any estimate on when it expects the entire backlog to be cleared, but the agency promised to continue sharing updates on its progress. 

Advertisement. Scroll to continue reading.

Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

Related: NIST Grants $3.6 Million to Boost US Cybersecurity Workforce

Related: NIST: No Silver Bullet Against Adversarial Machine Learning Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

Secure browser firm Conceal has appointed Eric Cornelius as Chief Executive Officer.

Shanta Kohli has been named CMO at Sysdig.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.