The United States’ national metrology institute, the National Institute of Standards and Technology (NIST), is to cease providing updates to tens of thousands of older common vulnerabilities and exposures (CVEs) held within its National Vulnerability Database (NVD).
In an announcement posted last week, the standards body said that every CVE with a published date prior to 1 January 2018 would now be marked as deferred within the NVD dataset.
“We are assigning this status to older CVEs to indicate that we do not plan to prioritise updating NVD enrichment or initial NVD enrichment data due to the CVE’s age,” NIST said in a statement.
NIST’s announcement comes as the organisation struggles to deal with a backlog of thousands of CVEs that need to be analysed and processed. At points last year, this backlog hit 18,000 records as new submissions surged by 32%. It has been exploring the use of new technologies, including machine learning, to try to automate its way out of its dilemma.
Like most other authorities on the matter, NIST expects that vulnerability submission volumes will continue to rise in 2025.
NIST said it would continue to accept and review requests to update the metadata it provides for its CVE records, and should new information come to light that indicates an update to said data is appropriate, it will “continue to prioritise” this work subject to time and resource availability.
It will also continue to prioritise any CVEs added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerability catalogue, regardless of their age.
Tim Mackey, head of software supply chain risk at Black Duck, said: “While it may be concerning to see older CVEs, particularly those associated with prominent vulnerabilities, be triaged to a lower priority, the reality is that the CVE remains in the NVD with a recognition that updates to older CVEs are infrequent.
“For practical purposes, I would view any organisation that hasn’t patched or mitigated something now labeled as ‘Deferred’ as having an underperforming patch management or DevOps cybersecurity programme.
“Let’s make this event a call to action for Product Security Incident Response Teams to inventory all software and then triage all vulnerabilities with a Deferred status,” he said.
US cuts
In recent weeks NIST has additionally been subject to a series of cuts by the Department of Government Efficiency (DOGE), the new body led by Elon Musk that has been tasked with making thousands of redundancies across the federal government, and it is understood that it plans to fire 20% of the workforce at NIST’s parent, the Department of Commerce.
Last week, a number of US politicians pressed commerce secretary Howard Lutnick on these cuts and warned that they may threaten NIST’s work on developing standards and pose a danger to both industrial and consumer safety and security, as well as damaging American leadership and soft power on the global stage.
According to Computer Weekly’s sister title Cybersecurity Dive, CISA has lost at least 170 roles through DOGE’s cuts to the Department of Homeland Security (DHS), while many other staffers at the US’ national cyber agency – which was established by president Trump during his first term – have resigned amid cratering morale.
