NIST announced on Wednesday that it will be receiving outside help to get the National Vulnerability Database (NVD) back on track within the next few months.
The organization informed the cybersecurity community in February that it should expect delays in the analysis of Common Vulnerabilities and Exposures (CVE) identifiers in the NVD, saying that it was working to establish a consortium to improve the program.
In an update shared in April, NIST admitted that there was a growing backlog of vulnerabilities submitted to the NVD that required analysis, blaming the issue on an increase in the number of vulnerabilities, as well as “change in interagency support”.
While looking for long-term solutions to this problem, the agency has been prioritizing the analysis of the most serious vulnerabilities.
In its latest update, shared on May 29, NIST said it has awarded a contract for additional processing support for the NVD. The name of the company that got the contract has not been disclosed in the announcement, but NIST told The Stack that it’s Analygence.
“We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months,” NIST said.
Regarding the backlog of unprocessed CVEs, NIST noted that it’s also working with the cybersecurity agency CISA to add the unprocessed vulnerabilities to the database.
The organization expects to clear the backlog by the end of the fiscal year. The government’s fiscal year ends on September 30.
“As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates,” NIST said. “Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.”
SecurityWeek spoke to several experts in April about the issues surrounding the NVD and why it can no longer be considered a single central source of vulnerability truth.
An analysis conducted recently by vulnerability management firm VulnCheck showed that of the 12,720 security flaws added to the NVD since February, 11,885 have not been analyzed or enriched with critical data. More than half of vulnerabilities known to have been exploited in attacks have yet to be analyzed.
CISA announced recently the launch of a new project named Vulnrichment, which aims to add important information to CVE records in an effort to help organizations improve their vulnerability management processes.
*updated with the name of the company that received the CVE support contract
Related: NIST Grants $3.6 Million to Boost US Cybersecurity Workforce
Related: Industry Reactions to NIST Cybersecurity Framework 2.0: Feedback Friday
Related: NIST: No Silver Bullet Against Adversarial Machine Learning Attacks
Related: Security Team Huddle: Using the Full NIST Cybersecurity Framework for the Win
