NVD: NIST is working on longer-term solutions

The recent conspicuous faltering of the National Vulnerability Database (NVD) is “based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” says the U.S. National Institute of Standards and Technology (NIST).

“Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.”

What is NIST NVD and why it’s critical for cybersecurity?

The NVD is a public repository populated with vulnerabilities that have been assigned CVE numbers and have been published on MITRE’s CVE List.

NVD staff then updates the entries with information such as:

• Impact metrics (Common Vulnerability Scoring System – CVSS)
• Vulnerability types (Common Weakness Enumeration – CWE)
• Applicability statements (Common Platform Enumeration – CPE)
• Other metadata (description of the vulnerability, links to advisories, etc.)

The staff does not perform vulnerability testing, but relies on information provided by vendors, security researchers and vulnerability coordinators to assign these attributes and update the entries.

The NVD database is, among other things, crucial for automated vulnerability management.

And while a lag between a CVE being revealed and being published on the NVD has previously been documented, this latest hiccup is worrying: Since the start of the year, the entries for less than half of the CVEs added to NVD have not been enriched by NVD analysts.

Working on solutions

The cybersecurity community has noticed the backlog and speculated on the reasons for it, while decrying NIST’s lack of transparency on the matter.

A bevy of cybersecurity professionals signed an open letter to the U.S. Congress and Secretary of Commerce, asking them to “investigate the ongoing issues with the NVD to ensure NIST is provided with the necessary resources to not only resume normal operations of this critical service but to also improve it further to resolve extant issues that preceded the February 2024 service degradation.”

“Many organizations solely rely on CVSS to prioritize vulnerabilities and align remediation timelines accordingly,” they pointed out.

“Based on this delayed information, if a critical security vulnerability was published today, many vendors of automatic scanning tools would struggle to appropriately classify the severity rating of their detections and leave operators of critical infrastructure who rely on these scan results unaware of their risk exposure, unless these vulnerabilities make enough news or systems are compromised by bad actors.”

NIST says that they are committed to supporting and managing the NVD, and that they are working on longer-term solutions for current problems, “including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.”

At the VulnCon conference last week, Tanya Brewer, program manager at the NVD, said that the NVD Consortium should be operational within two weeks.

She also shared that the NVD program is considering many changes in the next five years, including improvements to software identification, changes to make make NVD data more consumable, and finding ways to automate some CVE analysis activities.