In recent weeks, NIST’s National Vulnerability Database (NVD) has been experiencing a slowdown. Since February 15, 2024, a prominent notice has adorned the NVD’s main page, signaling disruptions in vulnerability management.
It reads: “NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.”
Despite NIST’s efforts to populate the database with entries for CVE-numbered vulnerabilities, recent entries do not include crucial information essential for effective vulnerability management.
Descriptions of flaws, severity scores, advisory links, and CPE entries are notably lacking.
NIST has not disclosed the precise nature of the problem, but its impact on the industry is unmistakable. The absence of critical data poses significant challenges to our vulnerability scanning and management processes.
Alternatives do exist. Other free vulnerability databases, such as OSV and the GitHub Security Advisory DB, offer supplementary resources for vulnerability management.
While these alternatives mitigate the impact somewhat, not all vulnerability scanners integrate these databases.
The issue is even more pertinent for contractors operating within the United States government’s purview. Under FedRAMP Rev. 5, contractors are bound by legal obligations mandating the use of the CVSS and NVD to assess and manage cybersecurity risks.
What Do the Vulnerability Management Leaders Say?
Companies like Rapid7 and Qualys have reassured customers that their products do not exclusively depend on NVD data.
Despite its slowdown, the NVD remains a cornerstone of vulnerability management, particularly concerning proprietary software. As such, a total return to “normal” is still eagerly awaited.