Mar 26, 2024 - Technology

A top cyber research agency slowed work on crucial security database without warning

Illustration of an open door with binary code spilling out.

Illustration: Shoshana Gordon/Axios

The agency overseeing the country's most consequential security vulnerability database appears to have slowed much of its work without any warning.

Why it matters: The National Vulnerability Database, operated by the National Institute of Standards and Technology (NIST), provides key information for cyber defenders patching their networks against the latest security threats.

  • Without the database, vulnerability scanners lack the information needed to check if a reported security bug affects their networks.

Zoom in: In mid-February, NIST started slowing down its work on a popular vulnerability database without preemptively telling those who rely on it.

  • The agency quietly placed a notice on the database's website last month saying that it's working to "establish a consortium to address challenges" to the program and that users will "temporarily see delays in analysis efforts during this transition."
  • NIST has analyzed 199 vulnerabilities out of the 2,535 it has received so far this month, according to its own data.
  • That's a drop from the month before, when the agency reviewed 1,310 flaws out of the 2,749 received — or roughly 47% of reported vulnerabilities.

NIST and its partner organizations haven't said anything about what initiated this disruption, how long it will last, and who is on the consortium.

  • A NIST spokesperson did not provide a comment before publication.
  • And the Cybersecurity and Infrastructure Security Agency — which had a "sponsored" logo on the database's website up until September, according to screenshots on the Internet Archive — declined to comment and referred questions to NIST.

How it works: Security researchers go through a convoluted process, involving NIST, research lab Mitre and others, to get a vulnerability into the government's database.

  • Once a researcher finds a bug —whether through routine tests or just tinkering with a product on their own — they share the details with either Mitre or an approved CVE Numbering Authority (CNA).
  • Mitre or the CNA then assigns the vulnerability a standardized number as part of the international Common Vulnerabilities and Exposures (CVE) program. (Mitre also referred all questions to NIST.)
  • After appearing on the CVE list, NIST will independently test the new vulnerability, add it to the National Vulnerability Database, and publish a severity score alongside crucial details about how to find the flaw in a network.

Threat level: While defenders can turn to a few other tools to find data about bugs in open-source tools, there isn't an obvious alternative for data about flaws in private companies' products amid NIST's mysterious slowdown, experts warn.

What they're saying: "If the scanners are wrong or the CVEs are not properly assessed, none of this works," Nicolas Chaillan, founder of startup Ask Sage and former chief software officer for the Air Force and Space Force, told Axios.

Between the lines: Key federal cybersecurity requirements for government contractors depend on NIST's vulnerability severity scores.

  • Cloud vendors participating in the government's FedRAMP program have to report whether vulnerabilities in the NIST database affected them and if they've patched those bugs.
  • Dan Lorenc, CEO of Chainguard, told Axios many of his FedRAMP-participating customers have been flying blind when conducting their mandated monthly security audits.
  • "I've heard folks just adding an entry saying, 'We're doing our best, but we don't know because NIST isn't updating,' and just sending that to their auditors," Lorenc said.

The intrigue: NIST's contract with Huntington Ingalls Industries — a shipbuilding contractor that publicly advertises its work on the database — is set to end on March 31, according to procurement documents seen by Axios.

  • HII did not respond to a request for comment, and it's unclear if a new contract was signed or if another vendor is lined up.
  • Lawmakers recently approved a $1.46 billion budget for NIST for the current fiscal year, a nearly 12% decrease from the previous year.

Zoom out: The National Vulnerability Database was already facing several challenges before the slowdown started.

  • The cybersecurity industry has seen an overwhelming rise in the number of security bugs, Josh Bressers, vice president of security at Anchore, told Axios.
  • NIST and product vendors did not always agree with the severity score given to a bug either — creating some distrust in the program, Bressers added.

What's next: A NIST official is still scheduled to appear on a panel Wednesday at VulnCon to discuss the database.

  • Lorenc is currently drafting a letter he's sending to Congress next week advocating to increase NIST's budget.
Go deeper