NIST Misses 2024 Deadline to Clear NVD Backlog

In June 2024, NIST announced a major contract to help clear the NVD backlog after reports surfaced that more than 50% of known exploited vulnerabilities (KEVs) have been left unenriched since mid-February. At that time, CVEs awaiting analysis were at 13,358, and NIST gave itself a deadline of the end of the fiscal year to clear it out.

In the ~3.5 months since NIST contracted Analygence for $865,657 to help with CVE processing, the cybersecurity company has increased the number of CVEs undergoing analysis but has not been able to keep pace with the high volume of new vulnerabilities added this year. The NVD has slipped further into its backlog, with nearly 18,000 CVEs awaiting analysis today.

Although the deadline has come and gone, the NVD hasn’t posted any updates on their communications page. NIST, which is tax-payer funded, continues to be opaque about how it is proceeding to address the backlog and improve the CVE processing system, dripping out minimal information while the situation continues to impact the timely dissemination of important vulnerability information, potentially leaving systems exposed to known threats for longer periods.

VulnCheck published a follow-up post to its previous analysis which had demonstrated that 50.8% of KEVs (Known Exploited Vulnerabilities) in their catalog, have not been analyzed by the NVD since February. In the latest update, VulnCheck’s Patrick Garrity noted that the NVD “has made considerable progress in processing new vulnerabilities” but hasn’t been able to address the substantial backlog:

• As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed (compared to 93.4% as of May 19, 2024).
• As of September 21st, 46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024). Of the 197 KEVs, 92 have yet to be assessed by the NVD (Source: VulnCheck KEV).

Garrity also noted that he believes NVD’s embrace of CISA’s Vulnrichment as a data provider for CVSS enrichment has been a notable success, and that the progress shown indicates that “the NVD might now have the capacity to keep up with enriching new CVEs.”

Even if the NVD is able to mobilize and maintain this effort enriching new CVEs as they are reported, the volume of CVEs is on track for 33.8% YOY growth, according to threat researcher Jerry Gamblin.

In May, CVE publication hit an all-time high, with more than 5,000 published that month, thanks in part to the large volume of Linux kernel bugs. MITRE continues to add CNAs at a healthy clip, passing the 4,000 CNA milestone in August. Congress has also advanced a bill to add security vulnerabilities in artificial intelligence (AI) systems to the NVD, which would increase the workload. NIST would be required to work in cooperation with CISA and other organizations to develop a common lexicon for reporting AI cybersecurity incidents.

The NVD’s backlog has increased by 33% since NIST contracted Analygence to help tackle it, due to the sheer volume of CVEs being reported. At this rate, it’s going to take a herculean effort to get the backlog under control. It’s a difficult problem to solve with many moving parts, and more resources may need to be allocated. Given NIST’s role in safeguarding critical infrastructure, the failure to meet its self-imposed deadline demands immediate transparent communication of the next steps they are pursuing to overhaul the CVE processing system.