NIST Nonetheless Struggling to Clear Large Vulnerability Backlog

The U.S. federal government’s repository for security vulnerabilities is struggling to clear a backlog of tens of thousands of unanalyzed flaws after failing to meet a self-imposed deadline for making the database up to date.

See Also: Protect Your Small & Mid-Sized Business From Cyberthreats This Holiday

The Nationwide Vulnerability Database got here to a close to standstill in February when funds cuts halted the father or mother company Nationwide Institute of Requirements and Expertise’s capacity to evaluate hundreds of reported software program and {hardware} vulnerabilities. The company awarded a contract for added processing help and was anticipating to clear the backlog of unprocessed CVEs “by the tip of the fiscal yr,” which was Sept. 30 (see: NIST Unveils Plan to Restore National Vulnerability Database).

In a Wednesday replace, NIST stated it now has “a full workforce of analysts on board” to deal with newly incoming CVEs. The company additionally admitted that its preliminary estimate to clear the backlog “was optimistic” as a result of information on backlogged CVEs not being in a format that NIST can presently “effectively import and improve.”

NIST stated it was within the means of “growing new programs” to extra effectively course of incoming information from approved information suppliers however didn’t present a timeline for progress or scheduled updates. The company didn’t instantly reply to a request for remark.

Specialists advised Data Safety Media Group earlier this yr that the database was reaching a breaking level because it neared 10,000 unanalyzed vulnerabilities in Might, warning of potential dangers to produce chains and demanding infrastructure sectors (see: Experts Warn the NVD Backlog Is Reaching a Breaking Point). Analysis published in July additionally predicted the backlog might threaten to increase into 2025 and surge to 30,000 with out extra help and processing.

The database presently has a backlog of greater than 19,000 CVEs awaiting evaluation, in keeping with a dashboard launched by the cybersecurity agency Fortress Data Safety. An evaluation report printed by the agency on Wednesday stated the database was falling in need of its earlier purpose to clear the backlog by almost 500 CVEs per day.

NIST beforehand blamed the rising backlog on a “number of components” in April, partly attributing the sluggish processing charges to “a rise in software program and, due to this fact, vulnerabilities, in addition to a change in interagency help.”

A NIST spokesperson beforehand advised ISMG that the company is collaborating with the CISA to include new, unanalyzed safety flaws into the database whereas exploring technological and course of enhancements to handle the rising quantity of vulnerabilities.

NIST didn’t supply extra data on the obvious disruption in interagency help and didn’t reply to a request for remark concerning the continued backlog. In its April discover, the company said it was exploring long-term options, which can embrace making a consortium of trade, authorities and stakeholder organizations to boost the database.