NIST says NVD will be back on track by September 2024
The National Institute of Standards and Technology (NIST) has awarded a contract for an unnamed company/organization to help them process incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database (NVD), the agency has announced on Wednesday.
They also aim to clear the NVD backlog of unprocessed CVEs by the end of the fiscal year (i.e., September 30).
NVD’s problems became obvious in February
The NVD started slowing down its CVE enrichment efforts earlier this year, and NIST confirmed that they are working on a multi-pronged solution that will include improved tools and methods, as well as establishing a consortium that will help addressed various challenges.
Tanya Brewer, program manager at the NVD, said in April that the NVD program is considering many changes to improve software identification, automate (some) CVE analysis activities, make NVD data more easy to “consume” and customize, develop capabilities to publish additional kinds of data (e.g., EPSS scores), and more.
A few weeks later, the Cybersecurity and Infrastructure Security Agency (CISA) started a CVE “vulnrichment” program, to help bridge the current gap.
NIST hard at work
On May 20, NIST said that the NVD has started ingesting CVE 5.0 and CVE 5.1 records for CVEs on an hourly basis. Ten days later came this latest and welcome promise: the NVD will be completely back on track by the end of September.
More welcome news is that NIST does not plan to hand over NVD’s rains.
“With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation,” the US Department of Commerce agency said.
“NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.”
UPDATE (May 31, 2024, 03:50 a.m. ET):
Maryland-based Analygence is the firm chosen to help NIST process CVEs to include in the NVD, according to Recorded Future.
The company has previously been awarded contracts to support the cybersecurity and privacy mission of NIST’s Information Technology Lab and CISA’s Vulnerability Management Subdivision.