The Security Industry Depends on NVD

The National Vulnerability Database (NVD) is utilized in some capacity by nearly every security product and program worldwide. However, in recent weeks, it has halted the publication of new information crucial for these organizations to protect themselves against emerging threats.

Over the past month, the security industry has experienced the impact on this critical resource, specifically the sharp reduction in CVE publication and enrichment, e.g., missing common platform enumerations (CPEs) which inform the public of which products and versions are affected by the Common Vulnerability Enumeration (CVE).

The origins of the NIST’s NVD trace back to 1999 as a reliable source of critical information on software vulnerabilities.. The NVD enriches vulnerability information provided by Mitre’s CVE Program, which identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities. The information enhanced by NIST includes critical details such as vulnerability severity (CVSS Metrics), associated products (CPEs), and Common Software Weaknesses (CWEs) that aid  security practitioners and developers and serves as an audit function for Vulnerability Management programs. 

Recently, the NVD paused analyzing and enriching vulnerability information from Mitre, causing a ripple effect in the security industry and organizations worldwide. The halt has also limited visibility into vulnerability severity, which is broadly used to prioritize vulnerabilities using tools such as FIRST’s Exploit Prediction Scoring System (EPSS) and many other proprietary Risk Scoring systems. The world relies on NIST's NVD enrichment to identify vulnerable products within their environment, to measure severity, criticality, risk and impacts on their IT infrastructure, software and business-critical applications.

Headwinds Facing the NVD

Exponential Rise in New Vulnerabilities:

The NVD has processed and analyzed hundreds of thousands of CVEs, with the volume continuing to rise steadily each year. Human analysis is integral to processing CVEs, and the pause is likely due to limited resources to handle the exponential growth in CVE issuance.

NVD Resource Allocation:

With multiple projects and limited resources, tough decisions on prioritization are inevitable. While it's not apparent to the public why CVE enrichment has paused, it's evident that those at NIST are facing difficult decisions to ensure the program's sustainability.

NIST Budget Cuts:

Experiencing its first budget cut in over a decade. The NVD program might have faced resource cuts amid broader budgetary constraints. Reference: https://ww2.aip.org/fyi/budget-tracker

Supporting NIST NVD: How You Can Help?

Despite the silence surrounding NIST NVD, there's likely a significant reason behind this. As a scientific organization, NIST tends to remain focused on its mission. Therefore, it's essential for the community to advocate for the critical importance of NVD and ensure its adequate resourcing.

Encouraging the security community to show support for NIST NVD and its pivotal role in the cybersecurity ecosystem is crucial. Individuals can take action by reaching out to their senators and emphasizing the significance of NIST NVD.

Help Contribute to a letter to congress being drafted by Dan Lorenc: https://docs.google.com/document/d/1y6JXhh52b1OMxLMQyl_WH0R2-85iYEBzjSm_fhv8-GY/edit?usp=sharing

Call Your Senator:

https://www.senate.gov/senators/senators-contact.htm