NIST to transfer software vulnerability repository to industry consortium

The handover of certain aspects of managing the world’s most used software vulnerability repository from the US National Institute of Standards and Technology (NIST) to an industry consortium has been officially confirmed.

Since its inception in 2005, the US National Vulnerability Database (NVD) has been under NIST’s operation. However, as of April 2024, management responsibilities will transition to vetted organizations within the industry collective.

The announcement was made by Tanya Brewer, the NVD program manager, during the VulnCon cybersecurity conference, which was held in Raleigh, North Carolina, from 25-27 March 2024. It was hosted by the Forum of Incident Response and Security Teams (FIRST).

Speculation arose weeks prior to the official announcement amidst a noticeable decline in vulnerability enrichment data uploads on the NVD website starting mid-February, raising concerns about a possible shutdown. By early March, only a fraction of received Common Vulnerabilities and Exposures (CVEs) had been analysed by NIST, leaving over 4000 CVEs unattended since mid-February.

Given the NVD’s status as the foremost vulnerability database globally, this backlog posed significant challenges for the cybersecurity community and organisations reliant on it for updates and patches.

Tom Pace, CEO of NetRise, emphasised the impracticality of expecting the cybersecurity community to independently identify vulnerabilities across various software platforms overnight. Similarly, Dan Lorenc, CEO of Chainguard, underscored the importance of the NVD in vulnerability management and the risks posed by ineffective triaging.

To address the NVD backlog, security firms such as VulnCheck, Anchore, and RiskHorizon AI initiated projects aiming to offer alternatives to certain aspects of vulnerability disclosure traditionally handled by the NVD. Coinciding with these developments was the release of the Federal Risk and Authorization Management Program (FedRAMP Rev. 5), a US federal law requiring companies engaging with the federal government to use the NVD for vulnerability remediation.

Brewer acknowledged the challenges faced by the NVD, including budget constraints, contractual issues, and discussions regarding updating vulnerability standards during VulnCon. However, she assured stakeholders that efforts were underway to rectify the situation and enhance the NVD’s resilience. Additionally, plans for establishing an NVD Consortium to address program challenges and facilitate future developments were revealed. Prospective members would undergo a vetting process and collaborate under a Cooperative Research and Development Agreement (CRADA) with NIST.

Looking ahead, Brewer outlined plans to modernise NVD operations, including greater involvement of external partners, improvements in software identification, incorporation of new data types, and enhanced automation.

While Brewer’s address at VulnCon provided clarity and reassurance to some, criticism regarding the lack of transparency persisted among certain stakeholders. Nonetheless, the forthcoming collaborative approach and modernisation efforts are anticipated to strengthen the NVD’s effectiveness and industry collaboration in the long run.

At VulnCon, J’aime Maynard, consortia agreements officer at the Technology Partnership Office (TPO), shared the eligibility criteria for joining the NVD Consortium and the process to do so. In essence, interested parties must represent organisations, agree to the same Cooperative Research and Development Agreement (CRADA) with NIST, and acknowledge identical terms and risks. A membership fee is under consideration. Entities unable to sign a CRADA may still participate in the Consortium through an alternative agreement tailored to their circumstances. Each member will hold a seat on the steering committee, ensuring diverse representation and collaboration. The Consortium will be organised into various specialised working groups.

NIST plans to issue a Federal Register Notice delineating the primary objectives of the NVD Consortium, application procedures, and relevant NIST contacts. In the interim, parties keen on involvement can reach out via email at: nvd_consortium@nist.gov.