NIST Devises a Strategy to Address the Backlog in Vulnerability Assessments
The National Vulnerability Database (NVD) is making strides in reducing its backlog of unanalyzed vulnerabilities, a critical issue due to the ever-increasing volume of Common Vulnerabilities and Exposures (CVEs) disclosed each year. In 2024 and 2025, the volume of CVEs is expected to surge, with nearly 50,000 CVEs anticipated in 2025 alone.
This growth has put immense pressure on defenders and databases like the NVD, making backlog clearance a top priority. To address this challenge, the NVD is turning to AI-driven vulnerability analytics and triage tools provided by Maryland-based company, Analygence.
Analygence's technology automates the analysis process, reducing manual effort and speeding up the ingestion of CVE data into the NVD. This aids in mitigating the "patch gap exploitation" problem, where attackers exploit vulnerabilities within 24 hours of disclosure, by providing quicker and more contextual vulnerability insights.
The Cybersecurity and Infrastructure Security Agency (CISA) has also been supporting NIST by providing additional information on backlogged CVEs to facilitate their addition to the database. In December 2021, NIST awarded a $125 million contract to Analygence to support various cybersecurity and privacy work, and later contracted the company for $865,657 to support the processing of incoming vulnerabilities for the NVD.
As of the end of September 2024, the NVD has made substantial progress in reducing the backlog, though the challenge remains significant due to the ever-increasing volume of new vulnerabilities. The contracted staffing from Analygence will allow NIST to return to its previous processing rates within the next few months, but will not clear the backlog that has developed since February.
The technology community relies on information about vulnerabilities to prioritize mitigation and understand risk. With the help of companies like Analygence, the NVD is better equipped to keep up with the deluge of new vulnerabilities and provide timely, accurate information to defenders.
[1] Data and information sourced from various reports and press releases, including but not limited to those from CISA, NIST, Flashpoint, and Analygence.
- The cybersecurity challenge of reducing the backlog of unanalyzed vulnerabilities in the National Vulnerability Database (NVD) is being addressed with the help of AI-driven vulnerability analytics and triage tools from Maryland-based company, Analygence.
- The use of technology from Analygence automates the analysis process, reducing manual effort and speeding up the ingestion of Common Vulnerabilities and Exposures (CVE) data into the NVD, thereby assisting in mitigating the "patch gap exploitation" problem.
- The timely and accurate data provided by the NVD, enhanced by companies like Analygence, plays a crucial role in helping the technology community understand risk and prioritize cybersecurity, data-and-cloud-computing, and privacy work.
