NIST is finally getting help with the National Vulnerability Database backlog

Maryland-based security firm Analygence has landed the job of helping the National Institute of Standards and Technology (NIST) reduce mounting backlog of entries in the US National Vulnerability Database (NVD), an agency representative said Tuesday.

“I can confirm that Analygence, Inc. won a competitive task order for processing support for incoming CVEs for inclusion in the NVD. The base amount of that task order is $865,657,” NIST spokesman Rich Press said in an email. The contract, which took effect May 8, simply outlines that the firm will provide cybersecurity analysis and email support to the NIST.

The award is part of an five-year $125-million framework agreement (or indefinite delivery/indefinite quantity contract, in US Federal government parlance) for Analygence and two other companies to provide support services to NIST.

The National Vulnerability Database maintained by NIST builds on Mitre’s Common Vulnerabilities and Exposures (CVE) list, adding additional analysis and presenting it in a form usable by SCAP (Security Content Automation Protocol). In theory, the two lists’ databases are synchronized, but a growing backlog of CVEs haven’t yet made it into the NVD.

In February it became apparent that backlogs were crippling the depository, and by last month they had reached crisis proportions, as CSO reported, prompting federal agencies to see help from the private sector.

In a status update released on May 29, the NIST said it had “awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.”

The update also stated that a “backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year.”

The agency repeated earlier assertions that it is also working on “ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.”