The National Institute of Standards and Technology has awarded a five-year, $125 million contract to Maryland-based cybersecurity firm Analygence Inc. to help fix a growing backlog in the Commerce Department's flagship national cyber vulnerability database.
The project aims to clean up the backlog of entries stored in NIST's National Vulnerability Database, which hasn't been updated in months.
Analygence, which frequently works with the federal tech ecosystem, previously signed a contract to support information security research for the federal scientific standards organization NIST.
The company has contracts with the Cybersecurity and Infrastructure Security Agency and the Naval Air Warfare Center, among several federal clients, according to GovTribe, a federal market intelligence platform. Next Government/FCW The parent company is GovExec.
The NVD database is a foundational repository for cybersecurity researchers, who have used its contents and associated vulnerability measurement tools to assess the risk of potential cyberattacks. Analysts have frequently made use of the database's severity score feature, which measures the seriousness of the impact if a hacker were to exploit a vulnerability.
The content is also used to train machine learning models that can predict whether software products contain as-yet-undiscovered vulnerabilities.
The impasse first surfaced in February, without a clear explanation. NIST said at the time that it might redeploy staff or enlist the private sector on the issue. It's worth noting that the agency is tasked with addressing critical emerging technology and national security research, while also facing an 8% budget cut in the coming fiscal year.
An analysis published last week by VulnCheck found that roughly 93% of new vulnerabilities had not been analyzed by the NVD since February 12th.
“If anyone responsible for network patch management relied on the NVD as a source of information, the list is likely out of date at this point and they should instead visit each vendor to find out what vulnerabilities have been recently disclosed for their products and how much risk they pose,” said an April blog from Cisco Talos explaining the potential impact of a congested database.
NIST expects the backlog to be cleared by the end of the year, the agency said in a status update on its website on May 29.
“NIST's 25-year history of providing vulnerability databases to users around the world and its lack of an enforcement or oversight role make it uniquely suited to manage the NVD,” the organization said. “NIST is committed to maintaining and modernizing this critical national resource that is essential to building and maintaining trust in information technology and fostering innovation.”
