The National Institute of Standards and Technology (NIST) recently made an important announcement regarding the processing of Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database (NVD). The agency has awarded a contract to an undisclosed company or organization to assist them in this task, with the goal of clearing the NVD backlog of unprocessed CVEs by the end of the fiscal year.
The NVD’s struggles with processing CVEs came to light earlier this year, prompting NIST to take action. Tanya Brewer, program manager at the NVD, revealed that the program is exploring various changes to enhance software identification, automate certain CVE analysis activities, improve data accessibility, and develop capabilities to publish additional types of data. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) launched a CVE “vulnrichment” program to help address the challenges faced by the NVD.
In response to these issues, NIST has been working diligently to address the backlog and enhance the NVD’s capabilities. The agency announced that the NVD has begun ingesting CVE 5.0 and CVE 5.1 records on an hourly basis, marking a significant step forward. NIST has also reassured the public that they do not intend to relinquish control over the NVD, emphasizing their commitment to maintaining and modernizing this critical resource.
Furthermore, NIST is actively seeking ways to manage the increasing volume of vulnerabilities through technological advancements and process improvements. The agency’s ultimate goal is to establish a sustainable program that supports the automation of vulnerability management, security measurement, and compliance.
A recent update revealed that Analygence, a Maryland-based firm, has been selected to assist NIST in processing CVEs for inclusion in the NVD. Analygence has previously been awarded contracts to support NIST’s Information Technology Lab and CISA’s Vulnerability Management Subdivision, further highlighting their expertise in the cybersecurity and privacy sector.
Overall, NIST’s efforts to address the NVD backlog and enhance its capabilities signify a proactive approach to cybersecurity and information technology management. By investing in improved tools, processes, and partnerships, NIST is positioning the NVD for long-term success and ensuring the continued trust and innovation in information technology systems.