Governance & Risk Management

NIST Unveils Plan to Restore National Vulnerability Database

Agency Awards Contract for Additional Staffing to Cope With Massive Backlog of CVEs
NIST Unveils Plan to Restore National Vulnerability Database
NIST on May 30, 2024, announces its plans to restore the NVD.

The National Vulnerability Database might finally be getting a badly needed update.

See Also: Webinar | Don't Get Hacked in the Cloud: The Essential Guide to CISOcial Distancing

The database, a U.S. federal government-maintained repository of security vulnerabilities, virtually ground to a halt in February after funding cuts forced the National Institute of Standards and Technology to stop analyzing thousands of reported software and hardware flaws.

The agency announced late Tuesday that it has awarded a contract "for additional processing support" to help deal with the massive backlog that began piling up earlier in the year as experts warned the database was reaching a breaking point. Information Security Media Group previously reported the database was nearing 10,000 unanalyzed vulnerabilities and that NIST only assessed two of the nearly 2,000 CVEs reported in May (see: Experts Warn the NVD Backlog Is Reaching a Breaking Point).

"We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," NIST said. The agency also said it expects to clear the backlog of unprocessed CVEs "by the end of the fiscal year," which is Sept. 30.

Experts told ISMG the NVD's restoration is a welcome development but warned that too many private sector organizations have grown increasingly reliant on the database to track CVEs.

"Too many commercially available tools depend solely upon the NVD feed for vulnerability-enriched data," said Brian Fox, CTO of the software supply chain management firm Sonatype and a board member of the Open Source Security Foundation. "Once the NVD slowed down, all those tools effectively became blind to new vulnerabilities."

A spokesperson for NIST told ISMG the new contract staffing will be provided by Maryland-based Analygence but declined to provide additional information regarding the length and total cost of the award. The agency said it was working with the Cybersecurity and Infrastructure Security Agency to facilitate the addition of the unprocessed CVEs into the database.

NIST also said it was "working on ways to address the increasing volume of vulnerabilities through technology and process updates," adding that its goal is to build a sustainable program "and to support the automation of vulnerability management, security measurement and compliance."

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.