Governance & Risk Management , Government , Industry Specific
NIST Unveils Plan to Restore National Vulnerability Database
Agency Awards Contract for Additional Staffing to Cope With Massive Backlog of CVEsThe National Vulnerability Database might finally be getting a badly needed update.
See Also: Securing the Nation: FedRAMP-Authorized Identity Security
The database, a U.S. federal government-maintained repository of security vulnerabilities, virtually ground to a halt in February after funding cuts forced the National Institute of Standards and Technology to stop analyzing thousands of reported software and hardware flaws.
The agency announced late Tuesday that it has awarded a contract "for additional processing support" to help deal with the massive backlog that began piling up earlier in the year as experts warned the database was reaching a breaking point. Information Security Media Group previously reported the database was nearing 10,000 unanalyzed vulnerabilities and that NIST only assessed two of the nearly 2,000 CVEs reported in May (see: Experts Warn the NVD Backlog Is Reaching a Breaking Point).
"We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," NIST said. The agency also said it expects to clear the backlog of unprocessed CVEs "by the end of the fiscal year," which is Sept. 30.
Experts told ISMG the NVD's restoration is a welcome development but warned that too many private sector organizations have grown increasingly reliant on the database to track CVEs.
"Too many commercially available tools depend solely upon the NVD feed for vulnerability-enriched data," said Brian Fox, CTO of the software supply chain management firm Sonatype and a board member of the Open Source Security Foundation. "Once the NVD slowed down, all those tools effectively became blind to new vulnerabilities."
A spokesperson for NIST told ISMG the new contract staffing will be provided by Maryland-based Analygence but declined to provide additional information regarding the length and total cost of the award. The agency said it was working with the Cybersecurity and Infrastructure Security Agency to facilitate the addition of the unprocessed CVEs into the database.
NIST also said it was "working on ways to address the increasing volume of vulnerabilities through technology and process updates," adding that its goal is to build a sustainable program "and to support the automation of vulnerability management, security measurement and compliance."