NIST Announces Major Contract to Clear NVD Backlog by September

NIST has published an update on the backlog situation with the NVD, following last week’s media frenzy after reports surfaced that more than 50% of known exploited vulnerabilities (KEVs) have been left unenriched since mid-February. NIST announced it has engaged a contractor to assist in tackling the growing backlog of CVEs that need to be analyzed. The agency also formalized its agreement with CISA (Cybersecurity and Infrastructure Security Agency) for processing CVEs:

NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months. In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year.

The announcement also addressed NIST’s recent lack of communication which led some to speculate the agency might be transferring control of the NVD to CISA or another organization. This update reiterates NIST’s intention to modernize the NVD and continue its management:

As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance. With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation. Moving forward, we will keep the community informed of our progress toward normal operational levels and our future modernization plans.

Key points:

• NIST awarded a contract for additional processing support for incoming CVEs.
• NIST is working with CISA to add these unprocessed CVEs to the NVD.
• The backlog is anticipated to be cleared by the end of the fiscal year (September 30 for government agencies)
• NIST plans to modernize the NVD to handle the increasing volume of vulnerabilities.

NIST Sets Ambitious Goal to Tackle Backlog of Unenriched CVEs#

Cybersecurity Drive is reporting that NIST awarded the contract to Analygence for $865,657 and will begin supporting CVE processing this week, tackling the backlog on a rolling basis using the NIST CPE process and in accordance with the CVSS.

The current NVD backlog of CVEs awaiting analysis is 13,358, and NIST has given itself a deadline of ~3.5 months to clear it out. If the agency is able to complete this ambitious goal, it’s curious why NIST didn’t outsource processing sooner. The announcement is also not transparent about why they halted CVE enrichment in the first place, nor does it elaborate on the arrangement NIST has with CISA - whether they are enriching CVEs independently or passing them to the NVD contractors.

“Unfortunately, due to the CVE ecosystem not evolving at all, it has fallen short over the years and become less usable,” Vulnerability historian Brian Martin said in a post discussing Tom Alrich’s proposal of a Global Vulnerability Database. “While MITRE is minting CNAs at a record pace lately, it isn’t improving the quality of the intelligence as CNAs are not held to the rules they originally agreed upon. With the recent NVD issues and subsequent fallout with CISA who is doing 'their own' enrichment (that is outsourced actually), the community has lost faith in what is easily the ‘no child left behind' of vulnerability databases.”

NIST, which is tax-payer funded, has been opaque about how it is proceeding to address the backlog and improve the CVE processing system. The agency has dripped out minimal information seemingly only when pressed by public and media scrutiny.

Criticizing NIST’s latest status update on LinkedIn, Martin said, “Ultimately, CISA and NVD should have jointly, publicly come clean on what was transpiring, not making us guess, and not making us submit FOIA requests to figure pieces out.”

NIST’s latest update states there is a plan for modernization, but there has been no further information about its highly criticized consortium plan announced in April, after it cited an increase in the volume of vulnerabilities and “a change in interagency support” as the reason for the backlog.

NIST Has an Uphill Battle to Regain Credibility Under an Aggressive Timeline#

An open letter penned by cybersecurity professionals in April, called on Congress to investigate NVD’s lack of transparency about the stalled CVE enrichment and compel NIST to establish a plan with accountability for improvement with input from the public.

"It feels like the details and announcements are evasive in answering the questions from the community,” Okta Senior Director of Federal Architecture Rob Gil commented on LinkedIn. “There was no official response to the open letter we published. I don't think anyone wants to put blame, but we all want to understand what happened and how it can be prevented from happening again. It would be nice if NIST/NVD came clean on what happened and what they need to get it back to its previous level of function."

Security professionals who rely on the NVD are hopeful it can meet the goal of clearing the backlog in a short amount of time and fulfill its promise to communicate progress. Others remain concerned and skeptical, with some wishing NIST had simply passed the torch.

“While this is good to hear, I note there's still no explanation for what happened on February 12, when their enrichment dropped to close to zero (and later dropped further),” OWASP SBOM project co-leader Tom Alrich commented on LinkedIn. “The continuing lack of an explanation for what happened, and the fact that they couldn't at least recover to near the level they were at before the event, means they've lost a huge amount of credibility in the software security community. That won't be built back easily.”

Alrich recommended organizations take this opportunity to diversify their sources of CVE data, since there is no assurance this situation will not happen again.

“Nobody who was totally dependent on the NVD before Feb. 12 should return to that state now,” Alrich said. “Everyone needs to diversify to other options like CVE.org, OSV, OSS Index, VulnCheck, etc. Each of these offers some clear advantages over the NVD in areas like open source software coverage, support for purl, etc. This is a better strategy than trusting one database to give you all the best information, as the NVD debacle clearly proves.”