Summary: The National Institute of Standards and Technology (NIST) has awarded a contract to an unnamed company/organization to help process incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database (NVD), with the goal of clearing the NVD backlog of unprocessed CVEs by the end of the fiscal year.
Threat Actor: N/A
Victim: N/A
Key Point:
- NIST has awarded a contract to assist in processing CVEs for inclusion in the NVD and aims to clear the backlog by the end of the fiscal year.
- The NVD has faced challenges with CVE enrichment efforts and is working on improving tools and methods, as well as establishing a consortium to address these challenges.
- The NVD program is considering changes to improve software identification, automate some CVE analysis activities, and make NVD data more accessible and customizable.
The National Institute of Standards and Technology (NIST) has awarded a contract for an unnamed company/organization to help them process incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database (NVD), the agency has announced on Wednesday.
They also aim to clear the NVD backlog of unprocessed CVEs by the end of the fiscal year (i.e., September 30).
NVD’s problems became obvious in February
The NVD started slowing down its CVE enrichment efforts earlier this year, and NIST confirmed that they are working on a multi-pronged solution that will include improved tools and methods, as well as establishing a consortium that will help addressed various challenges.
Tanya Brewer, program manager at the NVD, said in April that the NVD program is considering many changes to improve software identification, automate (some) CVE analysis activities, make NVD data more easy to “consume” and customize, develop capabilities to publish additional kinds of data (e.g., EPSS scores), and more.
A few weeks later, the Cybersecurity and Infrastructure Security Agency (CISA) started a CVE “vulnrichment” program, to help bridge the current gap.
NIST hard at work
On May 20, NIST said that the NVD has started ingesting CVE 5.0 and CVE 5.1 records for CVEs on an hourly basis. Ten days later came this latest and welcome promise: the NVD will be completely back on track by the end of September.
More welcome news is that NIST does not plan to hand over NVD’s rains.
“With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation,” the US Department of Commerce agency said.
“NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.”
UPDATE (May 31, 2024, 03:50 a.m. ET):
Maryland-based Analygence is the firm chosen to help NIST process CVEs to include in the NVD, according to Recorded Future.
The company has previously been awarded contracts to support the cybersecurity and privacy mission of NIST’s Information Technology Lab and CISA’s Vulnerability Management Subdivision.
Source: https://www.helpnetsecurity.com/2024/05/30/nist-nvd-back-on-track
“An interesting youtube video that may be related to the article above”