The U.S. National Institute of Standards and Technology (NIST) has made a significant move to tackle the backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). In response to the overwhelming volume of entries and accumulated CVEs since February, NIST has engaged the services of an external contractor to provide additional processing support.
While the contractor remains unnamed, NIST is confident that this decision will help the institute return to its normal processing rates within the next few months. This move comes as a relief to NIST, which has been struggling to keep up with the increasing workload.
NIST, as the entity responsible for managing entries in the NVD, is taking proactive steps to address the backlog effectively. By leveraging the assistance of an external party, NIST aims to streamline its processing efforts and clear the backlog in a timely manner. The agency anticipates that with this additional support, they will be able to meet the processing rates maintained prior to February 2024.
To further expedite the clearing of the backlog, NIST is collaborating closely with the Cybersecurity and Infrastructure Security Agency (CISA). By working together, both agencies are dedicated to enhancing their overall operations and processes to ensure the backlog is resolved by the end of the fiscal year. NIST has also indicated that it is exploring modernized technology and process improvements to address the increasing volume of vulnerabilities effectively.
The NIST status update reaffirms the agency’s commitment to maintaining and modernizing the NVD. By building a sustainable program focused on automating vulnerability management, security measurement, and compliance, NIST aims to preserve this vital national resource and instill trust in information technology while fostering innovation.
In response to the challenges faced by NIST, CISA has launched its own initiative called “Vulnrichment.” This project is designed to enrich public CVE records and complement the work of the Common Vulnerabilities and Exposures Numbering Authority (CNA). By utilizing an SSVC decision tree model to categorize vulnerabilities, CISA intends to consider various factors to enhance the CVE data quality.
By providing enriched CVE data, CISA seeks to improve the overall quality and usefulness of the NVD for cybersecurity professionals. The agency will populate additional fields in the ADP container for CVEs that do not already have this information, based on supporting evidence. CISA also welcomes feedback from the IT cybersecurity community on this initiative.
As both NIST and CISA continue to address the backlog and implement modernization plans, they remain committed to keeping the community informed of their progress. This collaborative effort between the two agencies underscores their dedication to enhancing cybersecurity and ensuring the efficient processing of vulnerabilities in the NVD.
In conclusion, the steps taken by NIST and CISA reflect their commitment to addressing the backlog of CVEs in the NVD and improving the overall quality of vulnerability data. By working together and embracing modernized approaches, these agencies are paving the way for a more efficient and effective vulnerability management process.