Facing a growing backlog of reported flaws, NIST has announced a commercial contract with an outside firm to clear the backlog in its National Vulnerability Database (NVD). This was reported in a status update that was posted on May 29th:
NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.
In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year.
Mike Walters, President and Co-Founder of Action1 has provided some insight on what resources the NVD would need to keep up with the number of vulnerabilities being reported:
“The National Vulnerability Database (NVD) plays a critical role in the cybersecurity landscape by cataloging and enriching vulnerability information. To keep up with the backlog, which now exceeds 10,000 vulnerabilities, NVD needs to address several issues and improve its operations.
First, the NVD must form a consortium to improve the program and, more importantly now, secure additional funding from federal agencies, the private sector, or public grants to cover the costs associated with scaling infrastructure, hiring additional staff, and purchasing necessary software tools. It is also important for them to obtain grants for AI and machine learning research to develop cutting-edge tools that can be integrated into the NVD workflow. Implementing advanced machine learning models and AI can help automate the initial triage and enrichment process of vulnerability reports.
Second, NVD will need to hire a highly skilled team of security analysts, data scientists, and threat intelligence experts to operate and enhance the new AI tools that will help handle the growing backlog of vulnerabilities. These professionals can oversee automated processes, validate AI-generated insights, and handle more complex cases that require human intervention.
Third, to collect and analyze data, the NVD will need to build stronger relationships with cybersecurity communities, including CVE Numbering Authorities (CNAs), private cybersecurity firms, academic institutions, and other threat intelligence platforms that can lead to more holistic and timely data sharing.
Implementing a crowdsourcing model where verified contributors can submit and enrich vulnerability data could also help spread the workload and speed up the process.
These are the key resources that NVD needs to manage the crisis.”
Hopefully NIST can get on top of this quickly. But with the amount of flaws that are and have been reported, that won’t be easy. But it is something that needs to be done.
UPDATE: Emily Phelps, Director, Cyware adds this comment:
“It’s encouraging to see NIST taking proactive steps to address the backlog in the National Vulnerability Database. The current backlog highlights the increasing complexity and volume of vulnerabilities that organizations face today. Effective and timely vulnerability management is crucial for maintaining robust cybersecurity defenses.”
Like this:
Like Loading...
Related
This entry was posted on June 4, 2024 at 11:24 am and is filed under Commentary with tags NIST. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
NIST Hires Outside Firm To Clear The Backlog In The NVD
Facing a growing backlog of reported flaws, NIST has announced a commercial contract with an outside firm to clear the backlog in its National Vulnerability Database (NVD). This was reported in a status update that was posted on May 29th:
NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.
In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year.
Mike Walters, President and Co-Founder of Action1 has provided some insight on what resources the NVD would need to keep up with the number of vulnerabilities being reported:
“The National Vulnerability Database (NVD) plays a critical role in the cybersecurity landscape by cataloging and enriching vulnerability information. To keep up with the backlog, which now exceeds 10,000 vulnerabilities, NVD needs to address several issues and improve its operations.
First, the NVD must form a consortium to improve the program and, more importantly now, secure additional funding from federal agencies, the private sector, or public grants to cover the costs associated with scaling infrastructure, hiring additional staff, and purchasing necessary software tools. It is also important for them to obtain grants for AI and machine learning research to develop cutting-edge tools that can be integrated into the NVD workflow. Implementing advanced machine learning models and AI can help automate the initial triage and enrichment process of vulnerability reports.
Second, NVD will need to hire a highly skilled team of security analysts, data scientists, and threat intelligence experts to operate and enhance the new AI tools that will help handle the growing backlog of vulnerabilities. These professionals can oversee automated processes, validate AI-generated insights, and handle more complex cases that require human intervention.
Third, to collect and analyze data, the NVD will need to build stronger relationships with cybersecurity communities, including CVE Numbering Authorities (CNAs), private cybersecurity firms, academic institutions, and other threat intelligence platforms that can lead to more holistic and timely data sharing.
Implementing a crowdsourcing model where verified contributors can submit and enrich vulnerability data could also help spread the workload and speed up the process.
These are the key resources that NVD needs to manage the crisis.”
Hopefully NIST can get on top of this quickly. But with the amount of flaws that are and have been reported, that won’t be easy. But it is something that needs to be done.
UPDATE: Emily Phelps, Director, Cyware adds this comment:
“It’s encouraging to see NIST taking proactive steps to address the backlog in the National Vulnerability Database. The current backlog highlights the increasing complexity and volume of vulnerabilities that organizations face today. Effective and timely vulnerability management is crucial for maintaining robust cybersecurity defenses.”
Share this:
Like this:
Related
This entry was posted on June 4, 2024 at 11:24 am and is filed under Commentary with tags NIST. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.