It’s now official: the American National Institute of Standards and Technology (NIST) will entrust management of the world’s most widely used software vulnerability repository to an industrial consortium.
NIST, an agency of the U.S. Department of Commerce, launched the U.S. National Vulnerability Database (NVD) in 2005 and has operated it ever since.
This situation is expected to change, with the database placed in the collective hands of controlled organizations from early April 2024.
NVD Program Manager, Tanya Brewer, made the official announcement during VulnCona cybersecurity conference hosted by the Forum of Incident Response and Security Teams (FIRST) and held in Raleigh, North Carolina, March 25-27, 2024.
The news came after weeks of speculation about a possible shutdown of the NVD.
NIST halted CVE enrichment in February 2024
In early March, many security researchers noticed a significant drop in vulnerability enrichment data uploads to the NVD website that had begun in mid-February.
According to its own data, NIST has analyzed only 199 common vulnerabilities and exposures (CVEs) out of the 2,957 received so far in March.
In total, more than 4,000 CVEs have not been analyzed since mid-February.
As the NVD is the most comprehensive vulnerability database in the world, many companies use it to deploy updates and patches.
If these issues are not resolved quickly, they could have a significant impact on the security research community and organizations around the world.
NetRise’s Pace explained: “That means you’re asking the entire cybersecurity community, overnight, to somehow figure out what the vulnerability is in what operating system, software package, application, firmware or device. This is a totally impossible and untenable task!
Talk to Information securityDan Lorenc, co-founder and CEO of software security provider Chainguard, called the incident a “major problem.”
“We now rely on industry alerts and social media to ensure CVEs are triaged as quickly as possible,” he said.
“Scanners, analyzers, and most vulnerability tools rely on NVD to determine which software is affected by which vulnerabilities,” Lorenc added. “If organizations fail to triage vulnerabilities effectively, it exposes them to increased risk and leaves a significant gap in their vulnerability management posture. »
To remain operational despite the NVD delay, several security companies, such as VulnCheck, Anchore, and RiskHorizon AI, have begun working on projects that could offer an alternative to parts of the vulnerability disclosure traditionally provided in the NVD.
This episode coincided with the publication of the latest revision of the Federal Risk and Authorization Management Program (FedRAMP Rev. 5), a US federal law requiring any company wishing to do business with the federal government to use the NVD as a source of truth. and fix any known vulnerabilities it contains.
Challenges within the NVD led to a ‘perfect storm’
Before the NIST statement, speculation about what was happening included:
- Budget problems at NIST, as lawmakers recently said approved a $1.46 billion budget for NIST for the current fiscal year, a decrease of nearly 12 percent from the previous year
- A termination contract with a contractor, possibly Huntington Ingalls Industries – a shipbuilding contractor that is publicly working with NIST on the NVD
- Internal discussions to replace certain vulnerability standards used by the NVD, such as Common Product Enumerators (CPE) which act as fingerprints for IT products, used to clearly identify software, hardware and systems.
- Internal discussions to begin adopting Package URLs (PURL), a new standard listing universal addresses for software packages.
At VulnCon, Brewer didn’t delve much into the reason for the NVD problem, saying, “While there is a story behind it, it is long, convoluted, and very administrative.” »
A written statement will be posted on the NVD website by March 29.
She added that a few challenges have led the NVD program to “this perfect storm.”
“In May 2023, I understood that we had to do things differently and start working differently with the industry. We have been working on this ever since. Unfortunately, we had our perfect storm and we didn’t get it done as quickly as we wanted.
She said NIST is actively reassigning staff and increasing collaboration with other government agencies under the NVD program.
She said data on enrichment should start flowing again within a few weeks.
“We are not going to close the NVD; we are fixing the current issue. And then we will make the NVD robust again and we will make it grow,” she insisted.
NIST provides details on upcoming NVD consortium
On February 15, the NVD website announced that NIST is “currently working to create a consortium to address NVD program challenges and develop improved tools and methods.”
This was confirmed by Brewer at VulnCon.
“Although the official documents are not yet released, NIST has every intention of forming the NVD Consortium to make NVD more relevant in the future. It should be operational within two weeks,” she explained.
Also at VulnCon, J’aime Maynard, Consortium Agreement Manager at the Technology Partnership Office (TPO), provided information on who can join the NVD Consortium and how to do so.
In summary, applicants must be organizations, sign the same Cooperative Research and Development Agreement (CRADA) with NIST, and agree to the same terms and risks. A contribution is being considered.
Entities that are prohibited from signing a CRADA may be permitted to participate in the Consortium under another appropriate agreement.
Each member will have a seat on the steering committee. The Consortium will be structured into different working groups.
NIST will publish a Federal Register notice detailing the primary objectives of the NVD Consortium, how to apply, and relevant points of contact at NIST.
In the meantime, interested parties can contact the following email address: nvd_consortium@nist.gov.
NVD One to Five Year Plan
Once the NVD is up and running, Brewer said the program will consider new approaches to improve its processes over the next five years, particularly around software identification.
Some of the ideas include:
- Involve more partners: Be able to request third parties to submit CPE data for the CPE Dictionary in a way that accommodates the ever-increasing number of IT products.
- Software identification improvements: Manage software identification in the NVD in a way that scales with increasing complexities (adoption of PURLS is considered)
- New data types: Develop capabilities to publish additional data types to the NVD (e.g. from EPSS, NIST Bugs Framework)
- New use cases: Develop a way to make NVD data more consumable and customizable for targeted use cases (e.g. receive email alerts from NVD when CVEs are released)
- CVEJSON 5.0: Extending NVD capabilities to use new data points available in CVE JSON 5.0
- Automating: Develop a way to automate at least some CVE scanning activities
“We want to no longer need human analysis for CVE enrichment. Recent developments in AI could help,” Brewer insisted.
Some “long-awaited clarity”
Ahead of VulnCon, many vulnerability researchers criticized NIST’s decision to save its first public statement for the conference.
This was illustrated by Lorenc’s comment during Resilient Cyber, a LinkedIn video podcast hosted by Chris Hughes, president of Aquia. “You announce a flashy new product at a conference, you don’t let the world know what’s going on with something as important as NVD,” Lorenc said.
However, Brewer’s session answered many of the questions that vulnerability researchers have asked NIST over the past month.
Talk to Information security, Aquia’s Hughes commented: “The comments provided long-awaited and industry-requested clarity. The upcoming collaborative approach is expected to bring new support and participation and also resolve long-standing issues such as NVD support for PURL, which helps address NVD’s current challenges regarding the open source ecosystem and software supply chain security.
“The consensus is that this brief disruption will help expand industry collaboration through the consortium as well as modernize long-standing challenges related to NVD, its operations and functionality.”
Patrick Garrity, security researcher at VulnCheck, agrees.
“NIST NVD’s presence at the conference reassured the community that NIST NVD is actively working to address current gaps in addressing CVEs. While there is no definitive timetable for resolution, it is evident that they are working diligently to find a solution, also with a focus on working with the community through a new consortium “, did he declare.
However, some voices remain critical of Brewer’s VulnCon speech. In an article published On March 28, on the Digital Utility Group forum on EnergyCentral’s website, Tom Alrich, project co-lead on the OWASP SBOM forum, said he regretted that Brewer did not address the nature of the problems encountered by the NVD program or the reason behind the recent backlog.
Infosecurity contacted NIST, which did not respond to requests for comment at the time of writing.