The National Institute of Standards and Technology (NIST) has made significant progress in clearing the backlog of unanalyzed exploited vulnerabilities, which had accumulated earlier this year. This progress was made possible through collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and private sector partners. NIST stated that they now have a full team of analysts working to address all incoming Common Vulnerabilities and Exposures (CVEs), with particular focus on Known Exploited Vulnerabilities (KEVs). The agency has cleared the backlog of KEVs and is processing new ones as they are reported.
Despite this progress, NIST admitted that it will not meet its previous goal of clearing both exploited and unexploited vulnerabilities by the end of the year. Researchers from VulnCheck had reported that by September 21, a large percentage of vulnerabilities in the National Vulnerability Database (NVD) remained unanalyzed, including nearly half of the exploited vulnerabilities. This backlog has raised concerns, with experts warning that it hampers the cybersecurity community’s understanding of emerging threats and weakens the response to ongoing cyberattacks.
A significant challenge that NIST faced in clearing the backlog was the inability to efficiently import and process data from Authorized Data Providers (ADPs), including CISA, the first agency to receive this status. NIST explained that the data provided by ADPs was in a format that made it difficult for the agency to enrich the vulnerability entries in a timely manner. To resolve this issue, NIST is developing new systems that will allow for more efficient processing of incoming ADP data, ensuring that vulnerabilities can be properly analyzed and documented in the NVD.
Earlier this year, cybersecurity professionals and experts voiced concerns over the backlog, urging Congress to allocate funding to support the NVD as critical infrastructure. The backlog of unanalyzed vulnerabilities has been seen as a significant risk to the cybersecurity industry, as it prevents professionals from accessing crucial information about vulnerabilities in products and systems. Despite the setbacks, NIST remains committed to improving the vulnerability analysis process and ensuring that it can respond more quickly to emerging cybersecurity threats in the future.
Reference: