Vulnerability database backlog due to increased volume, changes in 'support,' NIST says

The National Institute of Standards and Technology (NIST) blamed increases in the volume of software and “a change in interagency support” for the recent backlog of vulnerabilities analyzed in the organization’s National Vulnerability Database (NVD).

For years, the NVD has been an invaluable resource for cybersecurity experts and defenders who rely on it for key information about vulnerabilities. 

But in mid-February, important metadata from the NVD was removed and the organization struggled to process waves of new vulnerabilities. NIST posted a notice on its website claiming it was “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” 

“You will temporarily see delays in analysis efforts during this transition,” they said on February 15. 

Since then, the number of vulnerabilities processed by the NVD has dropped precipitously, according to NIST data. So far in 2024, NIST has analyzed about half of the 8,785 vulnerabilities submitted. But last month, they were only able to analyze 199 out of the 3,370 submitted. 

A spokesperson for NIST called the database “a key piece of the nation’s cybersecurity infrastructure” but confirmed to Recorded Future News that there is a “growing backlog of vulnerabilities submitted to the NVD and requiring analysis.”

“This is based on a variety of factors, including an increase in software and therefore vulnerabilities, as well as a change in interagency support. Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well,” a NIST official said. 

“We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD.”

Last Thursday, CyberScoop reported that NVD program manager Tanya Brewer told an audience at VulnCon about a plan to create an outside consortium to make the database better.  She listed dozens of potential improvements and explained that the NVD staff has stayed the same — at 21 people — while the number of vulnerabilities submitted continues to grow. 

The NIST official told Recorded Future News that the organization is still “committed to its continued support and management of the NVD.”

“We will provide more information as these plans develop,” they said. 

Dozens of cybersecurity experts signed a letter addressed to Congress and Secretary of Commerce Gina Raimondo imploring them to fund and protect the NVD, calling it “critical infrastructure for a large variety of cybersecurity products.”

“At a time when we and our colleagues are working to hold back a devastating tide of ransomware and the widening intrusion of foreign intelligence and military organizations into American critical infrastructure, those who protect America’s critical infrastructure are being stripped of a vital resource,” the experts said. 

“The NVD is integral to how every organization in the private and public sectors worldwide works to defend against vulnerability exploitation attacks targeting their technology systems. We are deeply concerned with the loss of this functionality and the lack of transparent communication from NIST about this issue to the cybersecurity community and organizations that depend on it.”

With the decrease in information provided about each vulnerability, automatic scanning tools will struggle to identify the risk and leave operators of critical infrastructure unaware, they said.

The letter claims funding for the NVD was recently cut by 20%. NIST did not respond to requests for comment about whether this is accurate. 

The experts also criticized NIST for being tight-lipped about the changes and providing little insight into what will be done to fix the current issues. Brewer told the conference that NIST plans to submit a notice in the Federal Register in two weeks that will formalize the consortium idea. 

The NVD has existed since 2005 but NIST recently was forced to swallow a 12% drop in funding for the current fiscal year compared to the year before.

The letter to Congress warns that a failure to restore the NVD will endanger everyone — pointing to several recent incidents including the Change Healthcare cyberattack that has paralyzed the healthcare industry for weeks. 

“These vulnerability exploitation incidents will only worsen if the NVD continues to lag in providing up-to-date vulnerability data for organizations to find and fix vulnerabilities before attackers try to exploit them,” they said. 

“We need you to urgently take action to resolve issues with the NVD to ensure the state of cybersecurity, in the U.S. and worldwide, continues to improve - not regress.”