The National Institute of Standards and Technology expects to clear the towering backlog of unanalyzed vulnerabilities in the National Vulnerability Database by the end of September, the agency said in a Wednesday update.
NIST scaled back its activities on the NVD program in mid-February following a change in interagency funding support and a staggering deluge of CVE disclosures. The agency reported an all-time high of 33,137 vulnerabilities last year, according to Flashpoint research.
To help clear the logjam, the agency awarded a cybersecurity analysis and email support contract to Maryland-based Analygence for $865,657 to support the processing of incoming vulnerabilities for the NVD, according to USAspending.gov. “We expect to begin performance the week of June 3,” Analygence COO Tom Peitler said via email.
“Analygence will be working through the existing backlog of CVEs on a rolling basis utilizing the NIST Common Platform Enumeration process and in accordance with the Common Vulnerability Scoring System,” Peitler said.
The contract with the cybersecurity and research services company ends in December and includes an option to extend services into July 2025 for up to almost $1.8 million total.
“The contracted staffing will support processing of CVEs and allow us to return to our previous processing rates within the next few months. That alone will not clear the backlog that has developed since February,” Rich Press, NIST’s director of media relations, said Thursday via email.
The Cybersecurity and Infrastructure Security Agency is also supporting NIST by providing additional information on backlogged CVEs to facilitate their addition to the database.
“CISA had previously been supporting the NIST NVD program with approximately $3.7 million per year in interagency funding, which they have discontinued,” Press said. “We made up for that loss of funding by redirecting existing NIST funds to the NVD program.”
Interagency funding from CISA ended in late September, according to NIST.
“The technology community relies on information about vulnerabilities to prioritize mitigation and understand risk,” a CISA spokesperson said Friday via email. “We continuously assess how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities while driving vendors to reduce the prevalence of such vulnerabilities by design.”
A growing backlog
To bring CVE processing back to normal, CISA and NIST are turning to Analygence, a familiar partner.
NIST awarded a $125 million contract to Analygence in December to support the agency’s Computer Security Division, Applied Cybersecurity Division and other cybersecurity and privacy work. CISA previously contracted Analygence to support the agency’s Vulnerability Management Subdivision.
The ramped up activity on the NVD comes as outside researchers sound the alarm about the growing backlog of unanalyzed CVEs. NIST has analyzed less than 1 in 10 vulnerabilities published in the NVD since mid-February, VulnCheck said last week in a report.
NIST said it was unable to reproduce VulnCheck’s analysis, but noted the status on all CVEs submitted to the NVD is available online.
“We are prioritizing the most significant vulnerabilities, including actively exploited vulnerabilities identified in CISA’s Known Exploited Vulnerabilities list,” Press said in response to VulnCheck’s findings.
NIST expects to clear the CVE backlog by the end of the U.S. government's fiscal year, which ends September 30.