US government report slams NIST for NVD backlog
Summary
A US Commerce Department inspector general report criticizes NIST for its growing backlog of vulnerabilities in the National Vulnerability Database (NVD). The report cites a lack of strategic planning, duplicated efforts with CISA, and insufficient communication as key issues, while NIST points to budget cuts and an increased volume of vulnerabilities due to AI developments.
IFF Assessment
The article highlights systemic issues within a critical government vulnerability management system, potentially delaying the dissemination of vital security information to defenders.
Defender Context
The significant backlog in the NVD means that newly discovered vulnerabilities may not be publicly documented and actionable for defenders in a timely manner. This delay can leave systems exposed for longer periods, increasing the risk of exploitation. The article also points to the growing complexity of vulnerability discovery, partly driven by AI, which necessitates evolving processes for tracking and disseminating threat intelligence.