The National Institute of Standards and Technology (NIST) recently made a significant announcement regarding the handling of Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database (NVD). According to the new policy, all CVEs published before January 1, 2018, will now be categorized as ‘Deferred’ in the database. This means that NIST will no longer prioritize updating NVD enrichment or initial enrichment data for these older CVEs unless they are identified in CISA’s Known Exploited Vulnerabilities catalog. To inform users about this change, a banner will be displayed on the CVE Detail Pages of deferred entries.
Following this announcement, the number of CVEs marked as Deferred rapidly escalated to 20,000, with the potential to reach up to 100,000 entries. This surge is primarily attributed to the fact that around one-third of CVEs listed in the NVD precede the 2018 deadline. NIST’s decision to implement this change stems from the necessity to focus on addressing more recent vulnerabilities amid the mounting backlog of outdated CVE entries. The organization has encountered challenges in managing delays in CVE analysis, resulting in a significant accumulation of pending entries.
For over a year, NIST has been striving to tackle this backlog by seeking external assistance and developing new operational systems. Initially, the institute aimed to clear the backlog by the conclusion of fiscal year 2024, but encountered difficulties due to inefficiencies in processing incoming data. In November, NIST acknowledged these setbacks and declared its efforts to enhance data processing efficiency through the implementation of new systems.
Despite these endeavors, NIST disclosed last month that a 32% surge in CVE submissions in 2024 had further compounded the existing backlog. With the expectation of continued growth in submissions, NIST is now contemplating the adoption of artificial intelligence (AI) and machine learning technologies to enhance the management of the escalating volume of CVEs effectively.
The decision to mark older CVEs as Deferred signifies a strategic shift in NIST’s approach towards prioritizing the handling of vulnerabilities in the NVD. By focusing on newer and potentially more critical vulnerabilities, the organization aims to address current cybersecurity risks more efficiently. However, the implementation of this policy has led to a substantial increase in the number of deferred CVEs in the database, underscoring the magnitude of the challenge faced by NIST in managing the influx of vulnerability data.
In conclusion, NIST’s decision to designate pre-2018 CVEs as Deferred reflects a proactive step towards optimizing cybersecurity efforts and streamlining vulnerability management processes. As the organization continues to grapple with the escalating volume of CVE submissions, leveraging advanced technologies like AI and machine learning may offer promising solutions to enhance the efficiency and effectiveness of CVE analysis and remediation.