The funding cutbacks announced in February have continued to hobble NIST’s ability to keep the government’s National Vulnerabilities Database (NVD) up to date, with one cybersecurity company finding that more than 93% of the flaws added have not been analyzed or enhanced, a problem that will make organizations less safe.

“With the recent slowdown of the NIST National Vulnerability Database … it’s crucial to understand the gravity of the situation,” Patrick Garrity, security researcher with VulnCheck, wrote in a recent report. “Nation-state threat actors and ransomware gangs continue to target organizations with devastating consequences, while our own house is in disarray. Although we can speculate on the underlying causes leading to the NVD’s near cessation, one thing is clear: threats continue to persist and show no signs of following NIST’s lead.”

The National Institute of Standards and Technology, an agency within the U.S. Commerce Department, saw Congress cut its budget by almost 12% this year, one of several science-focused agencies to lose money from their budgets.

The NIST budget cut was announced February 12. Within three days NIST warned about probable delays in analyzing vulnerabilities. In April, the agency said in an update that it was prioritizing the most significant vulnerabilities, assigning more of its staff to the work, and working with other agencies. In addition, NIST officials said they were evaluating long-term solutions to the problem, including looking to the private sector for help by establishing a consortium of industry, government, and other organizations to collaborate on the research and keep the NVD relevant and up-do-date.

Numbers Tell the Story

VulnCheck looked at the 12,720 CVEs published by the NVD between February 12 and May 20 and found that 11,885 had not been analyzed. Other numbers also illustrated the problems. Almost 56% of weaponized vulnerabilities – those that deliver a substantial payload – have not been analyzed by the NVD during that time, nor have 82% of those with a proof-of-concept exploit.

In addition, 50.8% of VulnCheck’s Known Exploitable Vulnerabilities (KEV) haven’t been analyzed. Several such vulnerabilities affect technologies like Microsoft Windows, Adobe ColdFusion, ChatGPT, and Progressm Flowmon.

This is from an agency that for two decades has been a primary source of software vulnerability information that security teams around the world rely on, Garrity wrote. The three key functions the NVD has include enriching vulnerabilities, including giving them CVSS severity ratings and reference tags, and an easily consumable way to access the data.

The database also holds CVE number authorities and vendors accountable for the quality of what they file.

“While there is debate over the NVD’s approach, it has a long track record as the go-to source for enriched CVE data and is incorporated into several government mandates as the source of truth for vulnerability management requirements,” he wrote.

Garrity added that “as the security community reacts to an uncertain future for the NVD and scrambles to fill this void, it is important to provide real-world insight into the threats that persist as the NVD falters to provide a critical service for the world.”

A Community Response Needed

He called on other organizations, including VulnCheck, to “coordinate efforts to fill the void that NIST has currently created,” recommending that CNAs provide more complete data when publishing new CVEs and work to enrich the records as much as possible by including product and vendor names, CVSS, and other data.

MITRE, which runs CVE.org, and NVD can work to automate CVE enrichment where possible, with NVD moving to a model where it doesn’t analyze every CVE submission, trusting others like CNAs to do that. In addition, “CVE.org/MITRE should consider accelerating the Authorized Data Provider (ADP) program to validate and allow third-party contributions to enrich CVE.org data,” he wrote. “This would include incorporating projects like CISA’s Vulnrichment project, CISA KEV and other third party sources.”

The Struggle Continues

It’s unclear when the situation with NIST will get better. The underfunded agency is now taking more work from the Biden Administration’s AI executive order, including the launch this week of a pilot program that includes a portfolio of NIST-managed evaluations – dubbed Aria – to assess various risks and impact of AI systems.

That came days after NIST Director Laurie Locascio reportedly was before the U.S. House Science, Space and Technology Committee explaining the cost-cutting measures she has taken with the agency’s smaller budget and what could happen if – as House Republicans are proposing – it sees another 6% cut in the next fiscal year. That could lead to job cuts, Locascio said.