The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.
NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.
The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent.
The work and output of NIST’s NVD program is remarkable. The agency reported an all-time high of 33,137 disclosures last year, a 318% increase from 2005 when the NVD first came online, according to Flashpoint research.
Government agencies, private companies, researchers and threat hunters use NVD’s standards-based vulnerability management data to automate security measurement and compliance, and assess, mitigate and spot potential risks lurking in these CVEs.
“So many folks have, honestly, probably been taking it for granted for years,” said Caitlin Condon, director of vulnerability research at Rapid7.
NVD has long been an authoritative and widely trusted source for vulnerability information, despite occasional disputes about NIST’s timeliness or transparency, CVSS scores, common platform enumeration (CPE), or root cause identification.
“Security professionals across a variety of disciplines like research and vulnerability management have come to rely on NVD,” said Emily Austin, principal security researcher at Censys. “It's built into vulnerability management tools and processes across many organizations, and its importance really can't be overstated.”
NVD slowdown creates difficulties downstream
Impacts from the NVD slowdown are expected to materialize over time, and cybersecurity experts anticipate a snowball effect as some vulnerabilities receive less attention from NIST.
Some vendors disclose very little information about vulnerabilities in their products. When NIST isn’t filling that analysis gap, the responsibility ultimately falls on threat hunters, researchers and security companies.
Other vulnerability catalogs exist, such as the Mitre Corp.’s CVE.org and the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, but the former doesn’t have the federal government’s official backing as a trusted source of truth and the latter is limited in scope.
“There’s value in being able to use a common language to discuss CVEs. That said, I also see concerns with having a single point of failure, as we’re experiencing now,” Austin said.
The temporary delays have already made it much more difficult for organizations to understand what software and products in their environments are vulnerable to a given CVE, according to Austin.
“Those working in vulnerability management and the tools they rely on are at a major disadvantage as a result of the NVD issues,” Austin said.
Challenges confronting the NVD
The sheer glut of vulnerabilities that NIST must analyze combined with the agency’s resource constraints has created a backlog in the NVD.
“Even before the start of the NVD slowdown, NVD has been significantly behind in analysis of the growing number of disclosures for years, often ranging from two to six weeks to analyze a given vulnerability. Over time, this gap in coverage has culminated to over 100,000 vulnerabilities missed by CVE and NVD,” Flashpoint research found.
Budget alone cannot fix NIST's constraints because people with the specialized skills required to analyze issues confronting AI, climate, communications, cybersecurity, health, infrastructure, manufacturing and quantum science are scarce. The agency has an expansive remit to promote U.S. innovation and competitiveness by advancing measurement science, standards and technology.
That kind of lofty mission requires resources.
The agency, which has a workforce of approximately 3,400 people and a fiscal year 2023 budget of $1.6 billion, is struggling to compete for and retain specialized talent in a competitive market, according to a 2023 report by the U.S. Government Accountability Office.
NIST did not answer questions about how many employees are responsible for the NVD or when it expects to complete the improvement process and return to normal operations.
A large portion of NIST’s analysis resources are spent on CPE generation, which, in theory, is work best suited for the software vendor, according to Condon.
“I would wonder whether any software vendors even know that that's their responsibility, or that they are in the best position to be doing it,” she said.
The current model isn’t working and this underscores the extent to which more entities and experts across the cybersecurity industry need to step up and rely less on NIST.
“I’m not sure what they owe us,” Condon said. “I would hope that a larger portion of our energy and brainpower and discussion goes toward understanding the process as it works today, where the pain points are, what we need it to do, and then where there are opportunities for scalability improvements.”