It’s now official: the US National Institute of Standards and Technology (NIST) will unveil an industry consortium to help it run the world’s most widely used software vulnerability repository.
NIST, an agency within the US Department of Commerce, launched the US National Vulnerability Database (NVD) in 2005 and has operated it ever since.
This situation was expected to change, with vetted organizations helping the agency from as soon as the beginning of April 2024.
The NVD program manager, Tanya Brewer, made the official announcement during VulnCon, a cybersecurity conference hosted by the Forum of Incident Response and Security Teams (FIRST) and held in Raleigh, North Carolina, from March 25 to 27, 2024.
The news came after weeks of speculation over a possible shutdown of the NVD.
NIST Halted CVE Enrichment in February 2024
In early March, many security researchers noticed a significant drop in vulnerability enrichment data uploads on the NVD website that had started in mid-February.
According to its own data, NIST has analyzed only 199 Common Vulnerabilities and Exposures (CVEs) out of the 2957 it has received so far in March.
In total, over 4000 CVEs have not been analyzed since mid-February.
Since the NVD is the most comprehensive vulnerability database in the world, many companies rely on it to deploy updates and patches.
If such issues are not resolved quickly, they could significantly impact the security researcher community and organizations worldwide.
Speaking to Infosecurity, Tom Pace, CEO of firmware security provider NetRise, explained: “It means that you’re asking the entire cybersecurity community, overnight, to somehow go figure out what vulnerability is in what operating system, software package, application, firmware, or device. It’s a totally impossible, untenable task!”
Dan Lorenc, co-founder and CEO of software security provider Chainguard, called the incident a “massive issue.”
“We are now relying on industry alerts and social media to ensure we triage CVEs as quickly as possible,” he told Infosecurity.
“Scanners, analyzers, and most vulnerability tools rely on the NVD to determine what software is affected by which vulnerabilities,” Lorenc added. “If organizations cannot triage vulnerabilities effectively, it opens them up to increased risk and leaves a significant gap in their vulnerability management posture.”
To stay operational amidst the NVD backlog, several security companies, such as VulnCheck, Anchore and RiskHorizon AI, started working on projects that could provide an alternative to some parts of vulnerability disclosure traditionally provided in the NVD.
This episode coincided with the release of the latest revision of the Federal Risk and Authorization Management Program (FedRAMP Rev. 5), a US federal law requiring any company that wants to do business with the federal government to use the NVD as a source of truth and remediate all known vulnerabilities inside it.
Challenges Within the NVD Led to a “Perfect Storm”
Before the NIST statement, speculation as to what was happening included:
- Budget issues within NIST, as lawmakers recently approved a $1.46bn budget for NIST for the current fiscal year, a nearly 12% decrease from the previous year
- An ending contract with a contractor, possibly Huntington Ingalls Industries – a shipbuilding contractor that publicly works with NIST on the NVD
- Internal discussions to replace some vulnerability standards used by the NVD, such as Common Product Enumerators (CPEs) that act as fingerprints for IT products, used to clearly identify software, hardware, and systems
- Internal discussions to start adopting Package URLs (PURLs), a new standard listing universal addresses for software packages
At VulnCon, Brewer did not delve much into the reason for the NVD issue, saying, “Although there is a story behind it, it is long, convoluted and very administrivia.”
She added that a few challenges led the NVD program to “this perfect storm.”
“In May 2023, I saw that we needed to do things differently and start working differently with industry. We’ve been working on that ever since. Unfortunately, we had our perfect storm and didn’t get it done as quickly as we wanted.”
In a written statement sent to Infosecurity on March 29, a NIST spokesperson said that the backlog was "based on a variety of factors, including an increase in software and therefore vulnerabilities, as well a change in interagency support."
"Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well, the spokesperson added.
Brewer said at VulnCon that NIST has started reallocating personnel and increasing its collaboration with other government agencies over the NVD program.
She said enrichment data should start flowing again within a few weeks.
“We’re not going to shut down the NVD; we’re in the process of fixing the current problem. And then, we’re going to make the NVD robust again and we’ll make it grow,” she insisted.
NIST Provide Details on an Upcoming NVD Consortium
On February 15, the NVD website announced that NIST “is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.”
This was confirmed by Brewer at VulnCon.
No tags.
