NIST taps Analygence to help fix vulnerability database backlog

MicrovOne/Getty Images

The standards agency has been unable to keep up with the inflow of system vulnerabilities being reported to its database.

The National Institute of Standards and Technology awarded Maryland cybersecurity firm Analygence with a $865,657 task order to help the Commerce Department agency fix a growing backlog in its signature national cyber vulnerabilities database.

The project is aimed at untangling the backlog of entries shelved in NIST’s National Vulnerability Database, which has not been updated for several months.

Analygence, which has frequently done business with the federal tech ecosystem, was previously awarded a contract with NIST to help the federal scientific standards body’s information security research.

Among multiple federal customers, the company has contracted with the Cybersecurity and Infrastructure Security Agency, as well as the Naval Air Warfare Center, according to federal market intelligence platform GovTribe — which is owned by Nextgov/FCW parent company GovExec.

The NVD database has been a cornerstone repository for cybersecurity researchers, who have used its contents and related vulnerability measuring tools to assess the dangers of potential cyber exploits. Analysts have often made use of the database’s severity score feature, which measures the acute effects of a vulnerability if a hacker takes advantage of it. 

Its contents have also been used to train machine learning models that can predict whether a software product contains a yet-to-be discovered vulnerability.

The logjam first surfaced in February without a clear explanation. NIST said at that time it would shift staff around and potentially engage the private sector for help on the matter. The agency is notably set to take an 8% budget cut for next year while being tasked to work on critical emerging tech and national security research.

An analysis out last week from VulnCheck said that some 93% of new vulnerabilities have not been analyzed by NVD since February 12.

“If someone who handles patch management for a network was relying on the NVD for their information, that list is likely outdated at this point, and instead, they need to visit each individual vendor to find out what vulnerabilities were recently disclosed in their products, and how large of a risk they present,” said an April Cisco Talos blog explaining potential consequences of the database congestion.

NIST expects the backlog to be cleared up by the end of year, the agency said in a May 29 status update on its site. 

“With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD,” it says. “NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation.”

Editor's note: This article has been updated to correct the task order amount.