NVD Update: Help Has Arrived
NIST has announced that it has filled the funding gap for the National Vulnerability Database (NVD) and hired a contractor to return it to its previous underwhelming state.
What does that mean for us? Basically, The NVD is off life support, but we wouldn’t say it’s healthy. It’s more like “undead”.
This has been quite a saga, starting with the news that the NVD stopped most CVE enrichment (You can read about that here.) Then came a wave of public support for the NVD to get the funding it needs, as well as some news about how the NVD briefly stopped even entering CVEs to the database altogether. It ultimately caught up on CVEs, although the enrichment backlog continues).
Then there was the mystery about the unnamed agency that suddenly pulled funding from the NVD. The anonymity led us to assume it must have been a secretive three-letter agency, like the CIA. However, it turns out it was a four-letter agency: the Cybersecurity & Infrastructure Security Agency, aka CISA. Rich Press, director of media relations, at the National Institute of Standards and Technology (NIST) told Cybersecurity Dive that NIST filled the $3.7 million gap created when CISA pulled funding by reallocating internal funds. So, hey, that’s good.
Even better, it appears that NIST has already begun spending that dough on some hired help to deal with the massive amount of incoming and backlogged CVEs. Reports are varied on how much the deal is worth, but Analygence, a company with a name only the federal government could love, reported that they were awarded a total contract of $125 million with NIST back in December. However, it appears that the NVD-specific part of that contract is only worth about $1.8 million total—and that’s only if it gets extended to July of 2025.
Some are still reporting that Analygence has a contract for $125 million over 5 years with NIST for work on the NVD specifically, but we find that doubtful. It doesn’t seem in line with NIST’s conservative announcement posted May 29th that the backlog would be all sewn up by the end of September. For $125 million we’d expect a shiny new, massively overhauled NVD, not one that’s promising to chug along as normal by the end of the year.
So, what does that mean for organizations trying to stay secure? Not much right now. You might be able to rely on the NVD in October, but for now you still need to draw your vulnerability data from multiple sources.
