NIST Proposes Public-Private Group to Help with NVD Backlog – Source: securityboulevard.com

An embattled National Institute of Standards and Technology (NIST), hobbled by budget cuts, is looking for more help from both inside and outside the government. NIST is trying to manage a growing backlog of security vulnerabilities coming into the database it maintains.

The National Institute of Science and Technology, which manages the critical National Vulnerability Database (NVD), warned in February that it was falling behind in keeping up with the flow of flaws being submitted. At the time,  it noted “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.”

NIST saw its budget cut by almost 12% this year, with Congress looking to fund President Biden’s CHIPS Act for bringing processor manufacturing back to the United States, at the expense of some agencies’ budgets.

Those budget cuts already have had an effect. The agency updated its notice this month, saying it is prioritizing the most significant vulnerabilities for analysis and working with other agencies for support. NIST also reassigned more of its staff to the task.

“We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD,” the agency wrote.

Data from NIST illustrates the struggle. For 2024 so far, the agency has been able to analyze 4,323 of the 9,050 new vulnerabilities that it’s received. However, in March it analyzed only 199 of the 3,370 submitted, and for April that number stands at 24 of 322 vulnerabilities.

NVD is Critical to Security Pros

The growing backlog is a problem for threat intelligence researchers and cybersecurity vendors that depend on the NVD. Commercial vulnerability scanners base much of their scanning logic on what is in the database, pointed out Jason Soroko, senior vice president of product at cybersecurity firm Sectigo.

“The problem is scale,” Soroko said. “NIST is going to open up the program to a consortium of vetted organizations from the industry in order to deal with the backlog of vulnerabilities that need to be analyzed and understood before being put into the NVD database.”

The idea of a public-private consortium is a good one, given the importance of the program to security operations, Soroko said.

Saumitra Das, vice president of engineering at Qualys, echoed those sentiments, calling the NVD “a cornerstone of vulnerability management for a long time.” The “exponential growth in CVE issuance has created pressure which will necessitate a different and prioritized approach as mentioned in this statement,” Das added. “Budget cuts happening for the first time in a decade are possibly part of this issue as well apart from the sheer volume.”

A Call for Help to the Public Sector

At the VulnCon event last month, Tanya Brewer, NVD program manager told attendees that a notice would be published soon in the Federal Register about creating the new consortium, one step in improving the vulnerability database, according to a report in CyberScoop. Other ideas include customizable alerts and new data types.

Security problems will only worsen with the rise of generative AI, said Dana Simberkoff, chief risk, privacy, and information security officer at data resiliency firm AvePoint.

“The NIST backlog is a representation of the sheer magnitude of the job ahead of the government to combat this constantly growing cyber threat,” Simberkoff said. “It will become critical for government to partner with critical ICT vendors and industry to ensure the timely resolution of this backlog.”

A Warning from Cybersecurity Analysts

The problems haunting NIST drew a letter to Congress and Commerce Secretary Gina Raimundo from about three dozen cybersecurity professionals urging greater support the NIST and the NVD, arguing that the growing risks coming from growing numbers and sophistication of ransomware and other cyberthreats will only worsen.

They also questioned whether the consortium being considered by NIST is the right way to go, suggesting that the NVD should be moved to CISA, with the consortium under the Joint Cyber Defense Collaborative (JCDC), which already is an existing government-private sector partnership that was created in 2021.

“The NVD is integral to how every organization in the private and public sectors worldwide works to defend against vulnerability exploitation attacks targeting their technology systems,” they wrote. “We are deeply concerned with the loss of this functionality and the lack of transparent communication from NIST about this issue to the cybersecurity community and organizations that depend on it.”