The National Institute of Standards and Technology (NIST) has announced that all CVEs published before January 1, 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD).
This means that, because the CVEs are old, NIST will no longer prioritize updating NVD enrichment or initial NVD enrichment data for them, unless they are or have been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
“CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status. This change will take place over the span of several nights. We are doing this to provide additional clarity regarding which CVE records are prioritized,” NIST announced.
“We will continue to accept and review requests to update the metadata provided for these CVE records. Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” NIST said.
Shortly after the announcement, the count for CVE entries marked Deferred jumped to 20,000. The total number, however, could reach 100,000 soon: as vulnerability researcher Patrick Garrity pointed out, roughly one in three CVEs in the NVD is older than 2018.
This shift of priorities is not surprising. Struggling with growing delays in the analysis of CVEs, NIST has been looking for ways to clear the CVE backlog for over a year, including through outside help.
A year ago, the institute was rather confident it would clear the backlog by the end of fiscal year 2024, but failed to do so, mainly because it could not efficiently import and enrich the data it was receiving.
“To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently,” NIST said in November.
Last month, however, it revealed that a 32% increase in submissions last year resulted in a growing backlog, and that its efforts stumbled. With the rate of submissions expected to increase this year, the adoption of AI and machine learning are being considered.
Related: NIST Grants $3.6 Million to Boost US Cybersecurity Workforce
Related: NIST Explains Why It Failed to Clear CVE Backlog
Related: NIST Announces HQC as Fifth Standardized Post Quantum Algorithm
Related: Industry Reactions to NIST Cybersecurity Framework 2.0: Feedback Friday
