In February 2024, The National Institute of Standards and Technology (NIST) attributed an increase in volume and structural changes in “interagency support” as the reasons behind a backlog of vulnerabilities analyzed in the National Vulnerability Database (NVD), which NIST operates, as “the organization struggled to process waves of new vulnerabilities.”  Following is a tick-tock of the NIST NVD debacle, including the recent contract award to Maryland-based cybersecurity company Analygence to address the backlog.    

Jonathan Greig over at The Record has been doing bang-up coverage of this story: 

April 1, 2024:  Vulnerability database backlog due to increased volume, changes in ‘support,’ NIST says

“…neglect could jeopardize the state of cybersecurity in the U.S. and globally.”

The National Institute of Standards and Technology (NIST) blamed increases in the volume of software and a change in interagency support for the recent backlog of vulnerabilities analyzed in the organization’s National Vulnerability Database (NVD). For years, the NVD has been an invaluable resource for cybersecurity experts and defenders who rely on it for key information about vulnerabilities. Why it matters:

1. The National Institute of Standards and Technology (NIST) has seen a significant backlog in analyzing vulnerabilities for its National Vulnerability Database (NVD), attributing this to rising software volumes and changes in interagency support. The issue disrupts experts and defenders who depend on the NVD for vital cybersecurity information.
2. The NIST is aggressively addressing the situation by implementing shorter-term measures like prioritizing and swiftly analyzing the most significant vulnerabilities. The agency is also looking into longer-term resolutions such as establishing a consortium with industry, government and other stakeholders to bolster NVD research capabilities.
3. Experts believe the NVD is crucial infrastructure for numerous cybersecurity products and claim a 20% cut in its funding can have severe consequences. They’ve sounded alarms to local authorities, asking for urgent action to rectify issues with the NVD, warning that neglect could jeopardize the state of cybersecurity in the U.S. and globally.

The Quant

“At a time when we and our colleagues are working to hold back a devastating tide of ransomware and the widening intrusion of foreign intelligence and military organizations into American critical infrastructure, those who protect America’s critical infrastructure are being stripped of a vital resource.”   

Greig provided a really impressive amount of quantitative facts to paint the picture of the context and impact of the NVD backlog:  “…in mid-February, important metadata from the NVD was removed, and the organization struggled to process waves of new vulnerabilities. NIST posted a notice on its website claiming it was ‘working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.’  ‘You will temporarily see delays in analysis efforts during this transition,’ they said on February 15. Since then:  

• Since then, the number of vulnerabilities processed by the NVD has dropped precipitously, according to NIST data.
• So far in 2024, NIST has analyzed about half of the 8,785 vulnerabilities submitted. But last month, they were only able to analyze 199 out of the 3,370 submitted.
• Last Thursday, CyberScoop reported that NVD program manager Tanya Brewer told an audience at VulnCon about a plan to create an outside consortium to make the database better.  She listed dozens of potential improvements and explained that the NVD staff has stayed the same — at 21 people — while the number of vulnerabilities submitted continues to grow.
• Dozens of cybersecurity experts signed a letter addressed to Congress and Secretary of Commerce Gina Raimondo imploring them to fund and protect the NVD, calling it “critical infrastructure for a large variety of cybersecurity products.”  “At a time when we and our colleagues are working to hold back a devastating tide of ransomware and the widening intrusion of foreign intelligence and military organizations into American critical infrastructure, those who protect America’s critical infrastructure are being stripped of a vital resource,” the experts said.
• The letter claims funding for the NVD was recently cut by 20%. NIST did not respond to requests for comment about whether this is accurate.
• The NVD has existed since 2005 but NIST recently was forced to swallow a 12% drop in funding for the current fiscal year compared to the year before.
• The letter to Congress warns that a failure to restore the NVD will endanger everyone — pointing to several recent incidents including the Change Healthcare cyberattack that has paralyzed the healthcare industry for weeks. 

April 14, 2024:  An Open Letter from Cybersecurity Professionals to the U.S. Congress and Secretary of Commerce

“A cybersecurity crisis in waiting: On the Need to Restore and Enhance Operations with the National Vulnerability Database”

An excerpt from the letter:

We urge you to expeditiously investigate the ongoing issues with the NVD and ensure NIST has the necessary resources to restore operations immediately, as well as lay the groundwork for critical improvements to the service. This includes, but is not limited to:

• Immediately restore NVD operations. To minimize disruption to vulnerability management tools during NVD’s disruption, we recommend stopgap processes for NVD to act as a passthrough of CVE Numbering Authority (CNA) data without re-scoring or duplicating the work of CVE programs, except in cases of clear inaccuracies in CNA-provided data.
• Establish a plan, with clear timelines and accountability, to improve NVD processes and operations. These must include addressing the backlog of vulnerabilities at NVD, lack of support for standard file formats, and redundant or conflicting vulnerability scoring. This plan should be developed openly with public and private stakeholder input with a public comment period.
• Investigate the lack of transparent communication from NIST regarding regression in NVD operations for the period of February 15, 2024 through March 25, 2024.
• Consider the establishment of sustained funding to provide reliable resources for NVD daily operations without conflicts of interest.  
• The NVD should be treated as an essential service and as “Critical Infrastructure”. To minimize the impact of funding related slowdowns, we think it’s important for the NVD to continue running through government shutdowns and other disruptions that would otherwise impede the critical services it provides.
• Keep the NVD independent. While industry collaboration with NIST and the NVD should be encouraged, a single entity should clearly own and operate NVD, given its critical role as a source of truth for the federal government.

For the full letter, go to this link. 

May 24, 2024:  Amid funding cuts, backlog of unanalyzed vulnerabilities in gov’t database is growing

Graph Source:  VulnCheck – The Real Danger Lurking in the NVD Backlog

More than 90% of submissions to the government’s National Vulnerabilities Database have not been analyzed or enriched since the agency announced cutbacks in February, new research shows. The National Vulnerability Database – a critical information resource for cybersecurity defenders – has been forced to limit its operations due to funding shortages and an influx of vulnerabilities. Why it matters:

1. Significant backlog in vulnerability analysis: Over 90% of submissions to the National Vulnerabilities Database (NVD) have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability. This is due to the funding shortages and an influx of vulnerabilities that have forced the NVD to limit its operations.
2. Increased risk of malicious threat exploitation: The current backlog and slow down at the NVD could give threat actors an upper hand in weaponizing vulnerabilities. Valuable information such as severity scores, reference tags, and vulnerability classifications are missing due to the slowdown, heightening the risk of devastating cyberattacks on organizations.
3. Need for proactive actions by CVE Numbering Authorities: CVE Numbering Authorities (CNAs), of which there are 379 from 40 countries, are typically cybersecurity firms, national cybersecurity agencies, technology vendors, and others.  In the wake of the slowdown, CVE Numbering Authorities (CNAs) should work toward enriching CVE records as completely as possible. This includes the submission of product names, vendor names, version numbers, thorough descriptions, broad references, Severity Scores (CPE, CVSS, and CWE). Automation could be a part of the solution, but only if paired with the trust of CNAs and a reevaluation of which CVEs require manual review.
4. Researchers from VulnCheck analyzed the NVD’s activity since it announced cutbacks on February 12 and found that of the 12,720 new vulnerabilities added since then, 11,885 “have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability.”
5. VulnCheck has a list of vulnerabilities it classifies as exploited and said nearly half of those bugs have not been analyzed by NVD since the slowdown. Another 82% of bugs that have a public proof-of-concept exploit have also not been examined, according to the company.  

May 29, 2024:  NIST expects to clear backlog in vulnerabilities database by end of fiscal year

“The long-term sustainability of the NVD…will involve the modernization and automation of vulnerability management, security measurement, and compliance…”

The National Institute of Standards and Technology (NIST) said it has awarded a new contract to an outside vendor that will help the federal government process software and hardware bugs added to the National Vulnerability Database (NVD). Government officials, cybersecurity experts and defenders have repeatedly raised alarms about the backlog of new vulnerabilities that have not been analyzed or enriched since the agency announced cutbacks in February. Why it matters:

1. The National Institute of Standards and Technology (NIST) has taken a significant step towards addressing the backlog of unprocessed vulnerabilities at the National Vulnerability Database (NVD). Enlisting external assistance in processing incoming Common Vulnerabilities and Exposures (CVEs) will bolster processing rates to previous standards within a few months.
2. The backlog of unprocessed CVEs presents a substantial risk to cybersecurity, leading to a loss of understanding in the evolving attack surface. The processing of this backlog, according to NIST, should be completed by the end of the fiscal year, reinforcing the fortification of national cybersecurity infrastructure.
3. NIST is dedicated to enhancing the long-term sustainability of the NVD, ensuring that it remains a vital national resource. This will involve the modernization and automation of vulnerability management, security measurement, and compliance; a crucial framework for cybersecurity systems.

What Next? 

May 30th:  Analygence chosen as company to help NIST address backlog at NVD

Maryland-based cybersecurity company Analygence was hired by the federal government to help reduce a backlog affecting a critical resource used by the cybersecurity community. A spokesperson for the National Institute of Standards and Technology (NIST) confirmed the selection after announcing on Wednesday that the agency would be seeking outside help to review the new software and hardware bugs added to the National Vulnerability Database (NVD). Why it matters:

1. The National Institute of Standards and Technology (NIST) confirms the hiring of Maryland-based cybersecurity firm, Analygence, to reduce backlog in the National Vulnerability Database (NVD), an essential tool for the cybersecurity community. This signifies a strategic move to increase efficiency and improve cybersecurity measures.
2. Boasting 31 contracts with various federal entities, Analygence has a strong track record and a history of providing cybersecurity services, thus instilling a level of confidence in their ability to optimally manage the NVD. Their expertise in vulnerability assessments and experience with the federal ecosystem underscores their suitability for this role.
3. A reliance on a combination of contract and full-time staff by NIST reflects a common strategy employed across federal government agencies to meet staffing needs. This method, although unquantified, is implied to be more cost-effective than recruitment of full-time employees, and serves to ensure the continuity and enhancement of vital cybersecurity infrastructure.

Featured Image Source: https://nvd.nist.gov/vuln 

Additional OODA Loop Resources 

For more News Briefs and Original Analysis on NIST and the NVD, go to OODA Loop | National Vulnerability Database  |  National Institute of Standards and Technology |  NIST

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its methods of data collection, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.