After warning that it could not keep up with the exponential number of bugs submitted to the National Vulnerability Database (NVD), the National Institute of Science and Technology (NIST) has asked the US government and private sector for additional resources.
The agency said in February that he was living delays the NVD update. This week, he admitted that the delays had ballooned into a bona fide backlog. NIST said it is working to address the highest priority vulnerabilities first.
“This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in a statement regarding its NVD backlog.
NIST personnel are moved around to evaluate delays in vulnerability analysis, but long-term solutions are needed, the agency explained. One specific suggestion highlighted by NIST was the creation of a public-private consortium to support NVD, composed of “industry, government, and other stakeholder organizations that can collaborate on research.”
NIST needs a new approach
NIST’s NVD is critical to security operations, according to Jason Soroko, senior vice president of product at Sectigo. And getting other analysts to work through the backlog is key, he added.
“The problem is scale,” Soroko says. “NIST will open the program to consortia of select industry organizations to manage the backlog of vulnerabilities that need to be analyzed and understood before being entered into the NVD database. The move is a good one.”
NIST needs a new approach if the agency is to be able to keep up with the explosion of CVEs, explains Sumitra Das, vice president of engineering at Qualys.
“NIST NVD has long been a cornerstone of vulnerability management,” says Das. “However, the exponential growth of CVE emissions has created pressures that will require a different and prioritized approach, as mentioned in this statement. Budget cuts occurring for the first time in a decade are also likely part of this problem, a the simple volume starts.”
Because NIST and NVD have been so important to cybersecurity in the past, John Bambenek, president of Bambenek Consulting, says he hopes that with the help of the cybersecurity industry, NVD can get back on track.
“The NVD is a major success story for NIST and cybersecurity, and hopefully a pivot can be quickly achieved toward a public-private partnership to scale up the program,” Bambenek says. “This announcement demonstrates that the explosion of vulnerability possibilities has become so great that not even the US government can adequately keep the problem under control.”