The United States’ federal database for tracking security vulnerabilities is facing significant challenges, with nearly 10,000 vulnerabilities left unanalyzed due to a halt in operations. As experts warn of the potential risks this backlog poses to critical sectors, questions are being raised about the future of the National Vulnerability Database (NVD) and who should be responsible for managing it.
Michael Daniel, president and CEO of the Cyber Threat Alliance, believes that resolving the critical question of who should populate the database is essential to fixing the NVD’s issues. There is ongoing debate over whether the NVD should remain under the management of the National Institute of Standards and Technology or be transferred to the Cybersecurity and Infrastructure Security Agency or even the private sector.
With over 9,700 Common Vulnerabilities and Exposures (CVEs) remaining unanalyzed by the NVD, according to NIST data, the backlog continues to grow. NIST attributed the backlog to various factors, including an increase in software vulnerabilities and changes in interagency support. NIST is exploring longer-term solutions, including potentially establishing a consortium of industry, government, and stakeholder organizations to address the issues.
The NVD backlog is not only a concern for the federal government but also major cybersecurity vendors that rely on its data for vulnerability management. Scott Kuffer, co-founder of Nucleus Security, warns that the backlog could impact the ability of cybersecurity vendors to detect vulnerabilities in their environment, leading to potential security risks.
While some argue that the private sector should take on a larger role in vulnerability reporting and management, others believe that keeping the database under federal control is essential for fostering collaboration and ensuring consistent standards. The NVD relies on third-party security researchers and vendors to assign risk attributes to CVEs, but the lack of timely and consistent data poses challenges for organizations trying to prioritize their patching efforts.
Industry professionals, including Kaylin Trychon of Chainguard, have called on Congress to investigate the challenges facing the NVD and allocate additional resources to enhance its operations. Trychon believes that privatizing the NVD could lead to confusion and potential security incidents, emphasizing the importance of treating the database as critical infrastructure.
Experts agree that automated processes could help improve the quality and timeliness of NVD data, but organizations will still need to make informed decisions about which vulnerabilities to patch first. Ensuring the NVD’s data is consistent and up-to-date is crucial for organizations to prioritize their security efforts effectively and protect against potential cyber threats.