NIST, the National Institute of Standards and Technology, is taking proactive steps to resolve a backlog issue within the National Vulnerability Database (NVD). This backlog arose following agency cutbacks earlier in the year, prompting concerns from government officials, cybersecurity experts, and defenders. To address this, NIST has awarded a contract to an external vendor, aiming to expedite the processing of software and hardware bugs added to the database.
The contract, awarded to an unspecified company, is expected to enhance support for processing incoming Common Vulnerabilities and Exposures (CVEs) within the NVD. NIST anticipates restoring processing rates to pre-February 2024 levels in the coming months, with collaboration from the Cybersecurity and Infrastructure Agency (CISA). The agency is working diligently to add unprocessed CVEs to the database and aims to clear the backlog by the end of the fiscal year.
Despite challenges posed by increased vulnerability volumes and funding reductions, NIST remains steadfast in its commitment to modernize the NVD program. Automation initiatives for vulnerability management, security measurement, and compliance processes are underway to streamline operations and improve database efficacy. These efforts align with complementary projects like CISA’s “Vulnrichment,” which enriches CVEs and encourages comprehensive vulnerability submissions.
Acknowledging the critical importance of the NVD as a cybersecurity resource, industry experts and leaders have emphasized the need to fund and protect it. Rob Joyce, former cybersecurity director for the National Security Agency, highlighted the urgent need to address the backlog, citing risks associated with gaps in understanding the evolving attack surface. As NIST continues its efforts to clear the backlog and enhance NVD functionality, stakeholders remain hopeful for a return to normal operational levels and the preservation of trust in information technology.
