NIST Still Struggling to Clear Massive Vulnerability Backlog
Agency Calls Former Deadline to Clear Major Vulnerability Backlog Too 'Optimistic'The U.S. federal government's repository for security vulnerabilities is struggling to clear a backlog of tens of thousands of unanalyzed flaws after failing to meet a self-imposed deadline for making the database up to date.
See Also: Cloud Security and Developers: Role of Zero Standing Privilege
The National Vulnerability Database came to a near standstill in February when budget cuts halted the parent agency National Institute of Standards and Technology's ability to review thousands of reported software and hardware vulnerabilities. The agency awarded a contract for additional processing support and was expecting to clear the backlog of unprocessed CVEs "by the end of the fiscal year," which was Sept. 30 (see: NIST Unveils Plan to Restore National Vulnerability Database).
In a Wednesday update, NIST said it now has "a full team of analysts on board" to address newly incoming CVEs. The agency also admitted that its initial estimate to clear the backlog "was optimistic" due to the data on backlogged CVEs not being in a format that NIST can currently "efficiently import and enhance."
NIST said it was in the process of "developing new systems" to more efficiently process incoming data from authorized data providers but did not provide a timeline for progress or scheduled updates. The agency did not immediately respond to a request for comment.
Experts told Information Security Media Group earlier this year that the database was reaching a breaking point as it neared 10,000 unanalyzed vulnerabilities in May, warning of potential risks to supply chains and critical infrastructure sectors (see: Experts Warn the NVD Backlog Is Reaching a Breaking Point). Research published in July also predicted the backlog could threaten to extend into 2025 and surge to 30,000 without additional support and processing.
The database currently has a backlog of more than 19,000 CVEs awaiting analysis, according to a dashboard released by the cybersecurity firm Fortress Information Security. An analysis report published by the firm on Wednesday said the database was falling short of its previous goal to clear the backlog by nearly 500 CVEs per day.
NIST previously blamed the growing backlog on a "variety of factors" in April, in part attributing the slow processing rates to "an increase in software and, therefore, vulnerabilities, as well as a change in interagency support."
A NIST spokesperson previously told ISMG that the agency is collaborating with the CISA to incorporate new, unanalyzed security flaws into the database while exploring technological and process improvements to manage the rising volume of vulnerabilities.
NIST did not offer additional information on the apparent disruption in interagency support and did not respond to a request for comment regarding the ongoing backlog. In its April notice, the agency stated it was exploring long-term solutions, which may include creating a consortium of industry, government and stakeholder organizations to enhance the database.