NIST expects to clear backlog in vulnerabilities database by end of fiscal year

The National Institute of Standards and Technology (NIST) said it has awarded a new contract to an outside vendor that will help the federal government process software and hardware bugs added to the National Vulnerability Database (NVD).

Government officials, cybersecurity experts and defenders have repeatedly raised alarms about the backlog of new vulnerabilities that have not been analyzed or enriched since the agency announced cutbacks in February. Enrichment involves adding contextual data to an entry about a vulnerability.

A spokesperson for NIST contacted Recorded Future News to say the new contract will see an unspecified company provide “additional processing support for incoming Common Vulnerabilities and Exposures (CVEs)” that will be added to the NVD. 

“We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months,” NIST said on Wednesday. The agency is working with the Cybersecurity and Infrastructure Agency on adding unprocessed CVEs to the database.

“We anticipate that this backlog will be cleared by the end of the fiscal year,” NIST said. 

The NIST spokesperson did not respond to requests for comment about what company had been hired to help with vulnerability processing or how much cheaper it is for the federal government to outsource the tasks. Fiscal 2024 ends September 30.

Tough numbers

Since its inception in 2005, the NVD has been an invaluable resource for cybersecurity experts and defenders. 

In April, NIST blamed the recent backlog on increases in the volume of vulnerabilities and “a change in interagency support." The agency posted a notice on its website claiming it was “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” 

NIST recently was forced to swallow a 12% drop in funding for the current fiscal year compared to the year before. NVD program manager Tanya Brewer told an audience at VulnCon earlier this year that the NVD staff has stayed the same — at 21 people — while the number of vulnerabilities submitted continues to grow. 

Researchers from VulnCheck analyzed the NVD’s activity since it announced cutbacks on February 12 and found that of the 12,720 new vulnerabilities added since then, 11,885 “have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability.”

'Sustainable for the long term'

In the updated notice on Wednesday, NIST said it is working to address the “increasing volume of vulnerabilities through technology and process updates.” 

“Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance,” the agency said. 

NIST said it is “fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation.” The agency plans to provide further updates as it attempts to return “toward normal operational levels.”

Last month, CISA started an enrichment effort called “Vulnrichment," which will add some information to CVEs. CISA recently enriched about 1,300 CVEs and urged those submitting vulnerabilities to provide more initial information in an effort to help the process. 

Dozens of cybersecurity experts previously signed a letter addressed to Congress and Secretary of Commerce Gina Raimondo imploring them to fund and protect the NVD, calling it “critical infrastructure for a large variety of cybersecurity products.”

Recently retired cybersecurity director for the National Security Agency Rob Joyce said on social media that the backlog “is a significant risk” and means that the cybersecurity industry now lacks understanding of the evolving attack surface.  

“We need NVD functionality restored ASAP,” he said.