NIST may not resolve vulnerability database backlog until early 2025, analysis shows>
Next Gov / FCW – David DiMolfetta
The National Vulnerability Database (NVD), a crucial U.S.-managed database of cybersecurity vulnerabilities, is facing a significant processing backlog that may not be cleared until early 2025, according to a new analysis by Fortress Information Security
The NVD, maintained by the National Institute of Standards and Technology (NIST), has been backed up with unanalyzed vulnerabilities since February without a clear explanation
Key points:
1) At current rates, nearly 30,000 vulnerabilities filed into NVD will still be awaiting analysis by the end of 2024, and may not be fully resolved until March 2025.
2) NIST awarded Maryland cybersecurity firm Analygence a $865,657 task order in late May to help clear the congestion, with the expectation of fixing the logjam by September 30, 2023.
3) To meet this deadline, NIST would need to assess approximately 217 vulnerabilities per day, according to the Fortress tables.
4) Marginal improvements have been made to the analysis process since Analygence was brought on, but it’s unclear if the assessment rate will increase significantly.
5) The number of vulnerabilities has been increasing, and the dashboard does not currently sort by vulnerability severity, though this feature may be added later
The NVD is a critical resource for security researchers who use its contents and severity score feature to assess the dangers of cyber exploits and train machine learning models to predict vulnerabilities in software products
However, NIST is set to take an 8% budget cut under the agency’s budget request for next year while being tasked with working on critical emerging tech and national security research.
Link: https://www.nextgov.com/cybersecurity/2024/07/nist-may-not-resolve-vulnerability-database-backlog-until-early-2025-analysis-shows/398354/