The U.S. National Institute of Standards and Technology (NIST) has taken a big step to address the growing backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). The institute has hired an external contractor to contribute additional processing support in its operations. The contractor hasn't been named, but NIST said it expects that the move will allow it to return to normal processing rates within the next few months.

Clearing the National Vulnerability Database Backlog

NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."

CISA's 'Vulnrichment' Initiative

In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

NIST is receiving support to get the NVD and CVE processing back on track within the next few months.

The post NIST Getting Outside Help for National Vulnerability Database appeared first on SecurityWeek.

The funding cutbacks announced in February have continued to hobble NIST’s ability to keep the government’s National Vulnerabilities Database (NVD) up to date, with one cybersecurity company finding that more than 93% of the flaws added have not been analyzed or enhanced, a problem that will make organizations less safe. “With the recent slowdown of..

The post NIST Struggles with NVD Backlog as 93% of Flaws Remain Unanalyzed appeared first on Security Boulevard.

NIST has released version 2.0 of the Cybersecurity Framework:

The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.

[…]

The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.

This is a big deal. The CSF is widely used, and has been in need of an update. And NIST is exactly the sort of respected organization to do this correctly.

Some news articles.

Apple announced PQ3, its post-quantum encryption standard based on the Kyber secure key-encapsulation protocol, one of the post-quantum algorithms selected by NIST in 2022.

There’s a lot of detail in the Apple blog post, and more in Douglas Stabila’s security analysis.

I am of two minds about this. On the one hand, it’s probably premature to switch to any particular post-quantum algorithms. The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them—and learn a lot in the process—over the coming few years. But if you’re going to make the switch, this is an excellent choice. And Apple’s ability to do this so efficiently speaks well about its algorithmic agility, which is probably more important than its particular cryptographic design. And it is probably about the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers.

The winner of the Best Paper Award at Crypto this year was a significant improvement to lattice-based cryptanalysis.

This is important, because a bunch of NIST’s post-quantum options base their security on lattice problems.

I worry about standardizing on post-quantum algorithms too quickly. We are still learning a lot about the security of these systems, and this paper is an example of that learning.

News story.