NIST turns to IT consultants to clear National Vulnerability Database backlog

Facing a growing backlog of reported flaws, NIST has extended a commercial contract with an outside consultancy to help it get on top of its National Vulnerability Database (NVD).

NIST has an ongoing five-year $125 million contract with Maryland-based Analygence for various bits of IT and security-related work.

That deal was amended [PDF] late last month to include support specifically for clearing the NVD backlog, which has been growing beyond the US government agency's ability to process submissions since February. The NVD being a central repository, used the world over as well as by Uncle Sam, for CVE-tagged security vulnerabilities in products.

The contract documents available online don't directly state that NIST amended Analygence's contract for NVD work, though an agency spokesperson confirmed to The Register that Analygence was the unnamed awardee mentioned in a notice last week about efforts to tackle the logjam.

According to the agency's statement last week, it hopes to reach its pre-February processing rate of CVEs within the next few months. NIST predicted it should be caught up and back to processing current CVEs by the end of the fiscal year.

The NVD backlog has been steadily building up since February when NIST quietly announced it was working to improve its tools and methods in a way that might mean users "temporarily see delays in analysis efforts." 

That message, which we noted in March, quickly drew attention as the backup became worse. As of last month, more than 93 percent of vulnerabilities submitted since February 12 remain unanalyzed, threat intelligence firm VulnCheck reported recently.

For reference, VulnCheck notes (as of May 23) that there have been 12,720 fresh vulnerabilities submitted to the NVD since February 12. That's a lot of unanalyzed flaws. 

More technology, more vulnerabilities

Despite it having been months since the problems were first identified, the what and why of the NVD hold-up is still a bit unclear. When asked if it's gleaned anything from the past few months of trying to clear the jam, NIST only pointed us to a vague update from the NVD program from late April that provides a partial explanation. 

The growing backlog, NIST said that month, "is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support."

• NVD slowdown leaves thousands of vulnerabilities without analysis data
• A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list
• Microsoft is a national security threat, says ex-White House cyber policy director
• NIST updates Cybersecurity Framework after a decade of lessons

NIST reiterated in April it's looking for long-term solutions to deal with the influx of vulnerability reports, "including the establishment of a consortium … that can collaborate on research to improve the NVD." 

In the meantime, it's still anyone's guess what the real reason for a sudden slam of CVEs at the beginning of 2024 could be, but one thing's for sure; it's not because NIST's current staff aren't doing their jobs.

If anything, bringing in outside help is more of a tacit admission that NIST staff are already overworked. The most recent US federal government budget, which will cut NIST funding by nearly 12 percent, is unlikely to help.

Analygence told us it started work on the backlog this week, and will be helping NIST process new NVD submissions as well. ®