Federal agency taps new contractor help with bug backlog
Add Axios as your preferred source to
see more of our stories on Google.
/2024/05/30/1717095286799.gif?w=3840)
Illustration: Brendan Lynch/Axios
A federal agency overseeing a key national vulnerability database has brought on a new federal contractor to help clear the backlog of reports it needs to review.
Why it matters: The National Institute of Standards and Technology (NIST) has been struggling to keep up with its work on the National Vulnerability Database over the last four months — creating a massive backlog and worrying security practitioners.
- Vulnerability scanners and other cybersecurity products rely on this database to determine weak points on a company's network.
Driving the news: A NIST spokesperson told Axios Thursday that cybersecurity company Analygence has been awarded a contract to help the agency review and process incoming reports for security bugs to add to the database.
- On Wednesday, the agency posted an update to its website saying it planned to clear the backlog by the end of the current fiscal year, in September, with the help of this new contractor.
- The original statement did not say which company NIST was working with.
Zoom in: NIST awarded a new $865,000 task order to Analygence last week, according to procurement documents.
- Analygence was also awarded part of a contract in December to help support NIST's cybersecurity and privacy services, according to a press release. The company was selected out of a pool of 14 bidders.
- Procurement documents show that the same contract had a new task order added last week to include the new NVD work.
- Analygence COO Tom Peitler told Axios via email that the company is "looking forward to supporting NIST" on the NVD.
Catch up quick: The Cybersecurity and Infrastructure Security Agency unveiled a plan earlier this month to help NIST add enrichment data to the bugs that are reported.
- This process includes testing the vulnerability to see which ones could have widespread impact across critical infrastructure and other sectors.
- NIST's contract with Huntington Ingalls Industries — a shipbuilding contractor that continues to advertise its work on the database — ended on March 31, according to procurement documents.
Between the lines: NIST has said that it no longer has the resources needed to keep up with the influx of software bugs being reported.
Editor's note: This story has been corrected to note that NIST awarded Analygence an $865,000 task order (not a five-year, $125 million contract) and to say the company was one of three contract holders under that contract.
