Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Professionals in the vulnerability management community warned that the lasting issues of the US National Vulnerability Database (NVD) could lead to a major supply chain security crisis. 50 cybersecurity professionals consolidated to sign and send an open letter on April 12th to several members of the US Congress including the Secretary of Commerce which addressed the ongoing issues with NVD. NIST is an agency of the Department of Commerce. Titled “A Cybersecurity Crisis in Waiting: On the Need to Restore and Enhance Operations with the National Vulnerability Database”, the document urges Congress to investigate the lack of vulnerability enrichment data and help NIST restore the NVD by funding its modernization. After security researchers recognized a drastic drop in analyzed and enriched CVEs, concerns arose about the lack of crucial metadata because many companies rely on the NVD to deploy updates and patches. According to NIST, currently, only 4,398 CVEs of the 10,826 received this year have been analyzed and updated with pertinent information. The lack of a pending solution to this backlog is likely due to a lack of human resources and government funding.

The content of the letter asserts that NIST’s main priority with the NVD should be to resolve the growing backlog of CVEs and then afterward reorganize management processes with the help of the Consortium. The signatories suggest to Congress that these three immediate actions will be the most effective: investigate the ongoing issues with the NVD, ensure NIST has the necessary resources to restore operations immediately, and then lay the groundwork for critical improvements to the service. After outlining these goals, signatories made several recommendations to accomplish this such as implementing stopgap processes for NVD, establishing a plan, with clear timelines and accountability, investigating NIST's lack of transparency regarding regression in NVD operations, establishing sustained funding to provide the NVD with reliable resources, treating the NVD as a component of critical infrastructure, and keeping the NVD independent.

Security Officer Comments:
This ongoing issue with NIST’s NVD has been publicized since early March, with a significant drop in uploads to the database beginning in mid-February. Because many companies utilize this comprehensive database for their security, the backlog could cause a supply chain security crisis, impacting the security community and having a global impact on organizations. NIST’s lack of transparency with the community has heightened concern and suspicion among security researchers. The assertion by researchers that the backlog should be tackled immediately emphasizes that the community believes this issue is not the golden opportunity for reorganization and growth of the NVD. Introducing industry collaboration at this time could negatively affect the NVD due to its essential role as the main source of truth for the federal government. By introducing more complexity to the NVD issue, resources may be spread even thinner, elongating the time it takes to get the database back up to speed, resulting in avoidable supply chain issues.