The U.S. National Institute of Standards and Technology (NIST) blames a dearth of analysis affecting thousands of entries in the National Vulnerability Database (NVD) on a drop in “interagency support” as vulnerability reporting surges.
As the world’s most widely used vulnerability database, the NVD plays a vital role in global cybersecurity, but since mid-February, NIST has fallen behind in its role of adding essential enrichment information to new CVE (common vulnerabilities and exposures) entries.
The enrichment data provides threat analysts with necessary context for new vulnerabilities, basic descriptions of the bugs, the software they impact, CVSS severity scores, related common weakness and enumeration (CWE), common platform enumeration (CPE) details, patch availability, and links to additional resources.
According to NIST’s website, the institute analyzed only 199 of 3370 CVEs it received last month.
Staff reassigned to deal with CVE backlog
Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published over the past weekend.
The growing backlog of vulnerabilities requiring analysis was due to “a variety of factors, including an increase in software and therefore vulnerabilities, as well a change in interagency support,” the statement said.
“Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.”
NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as “a key piece of the nation’s cybersecurity infrastructure."
“We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD,” the statement said.
“We will provide more information as these plans develop.”
New NVD consortium said to be close
A group of cybersecurity professionals have signed an open letter (Google doc) to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.
“We urge you to expeditiously investigate the ongoing issues with the NVD to ensure NIST is provided with the necessary resources to not only resume normal operations of this critical service but to also improve it further to resolve extant issues that preceded the February 2024 service degradation,” the letter said.
“At a time when we and our colleagues are working to hold back a devastating tide of ransomware and the widening intrusion of foreign intelligence and military organizations into American critical infrastructure, those who protect America’s critical infrastructure are being stripped of a vital resource.”
Meanwhile, Infosecurity Magazine reported that NVD program manager Tanya Brewer spoke at last week’s VulnCon conference about NIST’s plans to establish a NVD consortium.
“We’re not going to shut down the NVD; we’re in the process of fixing the current problem. And then, we’re going to make the NVD robust again and we’ll make it grow,” Brewer reportedly told the cybersecurity conference in Raleigh, North Carolina.
“Although the official paperwork is not out yet, NIST has every intention of putting together the NVD Consortium to make the NVD more relevant in the future. It should be operational within two weeks,” she said.