NIST Wants Help Digging Out of Its NVD Backlog

After warning it can't keep up with the exploding number of bugs being submitted to the National Vulnerability Database (NVD), the National Institute of Science and Technology (NIST) has asked for additional resources from the US government and the private sector.

The agency said in February it was experiencing delays updating the NVD. This week, it admitted the delays have ballooned into a bona fide backlog. NIST said it is working to address the highest priority vulnerabilities first.

"This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support," NIST said in a statement regarding its NVD backlog.

Staff at NIST are being shuffled around to triage the vulnerability analysis delays, but longer-term solutions are required, the agency explained. One specific suggestion NIST highlighted was the creation of a public-private consortium to support the NVD, made up of "industry, government, and other stakeholder organizations that can collaborate on research."

NIST Needs a New Approach

NIST's NVD is foundational to security operations, according to Jason Soroko, senior vice president of product at Sectigo. And getting additional analysts working through the backlog is critical, he added.

"The problem is scale," Soroko says. "NIST is going to open up the program to a consortia of vetted organizations from the industry in order to deal with the backlog of vulnerabilities that need to be analyzed and understood before being put into the NVD database. The move is a good one."

NIST needs a new approach if the agency is going to be able to keep up with the explosion in CVEs, explains Saumitra Das, vice president of engineering at Qualys.

"NIST NVD has been a cornerstone of vulnerability management for a long time," Das says. "However, the exponential growth in CVE issuance has created pressure which will necessitate a different and prioritized approach as mentioned in this statement. Budget cuts happening for the first time in a decade are possibly part of this issue as well, apart from the sheer volume."

Because NIST and the NVD have been so important to cybersecurity in the past, John Bambenek, president at Bambenek Consulting, says he's hopeful that with an assist from the cybersecurity industry, NVD can get back on track.

"The NVD is a major success story for NIST and cybersecurity, and hopefully a pivot to a private-public sector partnership can be reached quickly to scale up the program," Bambenek says. "This announcement illustrates that the explosion in vulnerability possibilities has grown so large that not even the US government can adequately keep their hands around the problem."