Connect with us

Hi, what are you looking for?



NIST Getting Outside Help for National Vulnerability Database

NIST is receiving support to get the NVD and CVE processing back on track within the next few months.


NIST announced on Wednesday that it will be receiving outside help to get the National Vulnerability Database (NVD) back on track within the next few months. 

The organization informed the cybersecurity community in February that it should expect delays in the analysis of Common Vulnerabilities and Exposures (CVE) identifiers in the NVD, saying that it was working to establish a consortium to improve the program.

In an update shared in April, NIST admitted that there was a growing backlog of vulnerabilities submitted to the NVD that required analysis, blaming the issue on an increase in the number of vulnerabilities, as well as “change in interagency support”. 

While looking for long-term solutions to this problem, the agency has been prioritizing the analysis of the most serious vulnerabilities. 

In its latest update, shared on May 29, NIST said it has awarded a contract for additional processing support for the NVD. The name of the company that got the contract has not been disclosed in the announcement, but NIST told The Stack that it’s Analygence. 

“We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months,” NIST said.

Regarding the backlog of unprocessed CVEs, NIST noted that it’s also working with the cybersecurity agency CISA to add the unprocessed vulnerabilities to the database. 

The organization expects to clear the backlog by the end of the fiscal year. The government’s fiscal year ends on September 30. 

Advertisement. Scroll to continue reading.

“As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates,” NIST said. “Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.”

SecurityWeek spoke to several experts in April about the issues surrounding the NVD and why it can no longer be considered a single central source of vulnerability truth.

An analysis conducted recently by vulnerability management firm VulnCheck showed that of the 12,720 security flaws added to the NVD since February, 11,885 have not been analyzed or enriched with critical data. More than half of vulnerabilities known to have been exploited in attacks have yet to be analyzed. 

CISA announced recently the launch of a new project named Vulnrichment, which aims to add important information to CVE records in an effort to help organizations improve their vulnerability management processes.

*updated with the name of the company that received the CVE support contract

Related: NIST Grants $3.6 Million to Boost US Cybersecurity Workforce

Related: Industry Reactions to NIST Cybersecurity Framework 2.0: Feedback Friday

Related: NIST: No Silver Bullet Against Adversarial Machine Learning Attacks

Related: Security Team Huddle: Using the Full NIST Cybersecurity Framework for the Win

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights