Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities. This backlog, caused by factors such as software proliferation, budget cuts and changes in support, has significant implications for managed service providers (MSPs).

Budget cuts and increased vulnerabilities

NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year. For over 20 years, the NVD has been a critical resource for cybersecurity experts, providing essential information such as severity scores, reference tags and vulnerability classifications. The increasing number of disclosed vulnerabilities, reaching 28,961 common vulnerabilities and exposures (CVEs) in the past year, underscores the challenges in software vulnerability management.

The challenge of CVE enrichment

CVE enrichment involves adding public information following the creation of a vulnerability number. While CVEs continue to be added to the NVD, many lack critical metadata necessary for effective patching, such as common platform enumeration (CPE) numbers, software product names and criticality scores (CVSS). This deficiency hinders the ability to efficiently identify, assess and mitigate vulnerabilities. Researchers at VulnCheck analyzed the NVD’s activity since the budget cut announcement on February 12 and found that out of 12,720 new vulnerabilities added since then, 11,885 have not been analyzed or enriched with essential data. Additionally, 82% of bugs with a public proof-of-concept exploit have not been examined, highlighting the severity of the situation.

Impact on MSPs

Software vulnerability management is a crucial component of cybersecurity. MSPs heavily depend on the NVD to identify, assess and mitigate vulnerabilities in their clients’ systems. With the NVD backlog, they have effectively lost a critical resource, as many vulnerability scanners and other management tools rely on the CPE entries set by the NVD to pinpoint and address security vulnerabilities affecting an organization’s systems.

Challenges posed by the backlog

The backlog presents several challenges for MSPs, including:

• Increased security risks: Without enriched data, MSPs struggle to identify new vulnerabilities promptly, increasing the risk of cyberattacks as threat actors exploit unpatched vulnerabilities.
• Inefficient vulnerability management: Enriched data provides crucial context about vulnerabilities, including exploitability, impact and remediation steps. The lack of this information forces MSPs to spend additional time and resources on manual research, slowing down the vulnerability management process.
• Compliance and regulatory challenges: Many industries have stringent compliance requirements that mandate timely vulnerability assessment and remediation. The absence of enriched NVD data complicates the compliance process, potentially leading to regulatory fines and reputational damage
• Increased operational costs: MSPs must invest more in alternative sources of vulnerability information or develop in-house enrichment capabilities. These additional costs can strain budgets and reduce profitability.
• Client dissatisfaction: Clients expect MSPs to provide prompt and effective security services. Delays and inefficiencies caused by the lack of enriched NVD data can lead to client dissatisfaction and loss of business.

Temporary fix: CISA Vulnrichment project

Acknowledging the concerns from the security community, the Cybersecurity and Infrastructure Security Agency (CISA) launched a new project in May, Vulnrichment. The goal of the program is to fill the void by adding Common Vulnerability Scoring System (CVSS) scores and other crucial information to help organizations improve their vulnerability management processes.

While the CISA initiative provides an interim solution, lawmakers argue that NIST should be fully funded to address the current issues. In the short term, CISA Vulnrichment will offer timely and comprehensive vulnerability data, enabling MSPs to identify and address new vulnerabilities more quickly, reducing the window of exposure to potential threats. This solution promotes cost efficiency by reducing reliance on costly vulnerability information sources, thus lowering operational costs and improving resource allocation. By delivering timely and effective vulnerability management services with enriched data, MSPs can enhance client trust and satisfaction, build stronger relationships and provide superior security solutions.