A National Institute of Standards and Technology (NIST) advisory board is urging the agency to scale and implement support for its national cyber vulnerability database to protect national security interests.
In a letter sent last month to NIST Director Laurie Locascio, the agency’s Information Security and Privacy Advisory Board (ISPAB) expressed concern that NIST’s National Vulnerability Database (NVD) is not “current and accurate” after the agency scaled the program back earlier this year.
The NVD is the official Federal data source for product vulnerabilities, their effects, severity, and remediation. The NVD is used by IT end user organizations, product and online service developers, and cybersecurity organizations across the world, according to the ISPAB.
The board warned that product vulnerabilities are likely to escalate, driven by the deployment of artificial intelligence and machine learning (AI/ML) technologies aimed at uncovering new weaknesses, with China also intensifying efforts to exploit these security gaps.
“The Board is concerned that US national security interests are challenged when the United States does not have a current and accurate record of vulnerabilities impacting United States critical infrastructure and consumers alike,” the letter states.
Last year NIST reported an all-time high of 33,137 common vulnerabilities and exposures (CVE) disclosures, a marked 318 percent increase from NVD’s launch in 2005, according to Flashpoint. At the time of writing, NVD has received 33,316 CVE reports so far this year.
After the program scaled back to reshuffle and reprioritize its efforts earlier this year NIST implemented some changes to NVD, including increasing the number of CVE Naming Authorities (CNAs) – which create NVD entries. It also increased aide by additional government and contractor staff at NIST, with “complimentary efforts” by the Cybersecurity and Infrastructure Security Agency (CISA).
Additional efforts should be made to improve the NVD’s operations, the ISPAB said in its letter.
“The government must still exercise control to assure the completeness and accuracy of CNA-contributed information. Automation and perhaps the use of AI/ML to make this assurance scalable may be an effective option,” the letter said.
Recommendations the board provided include the continued supply of resources between NIST and CISA to support the NVD; establishing effective selection and quality assurance processes for CNA-contributed NVD entries, including training for CNAs; researching and testing automation for NVD quality assurance processes; and researching and engaging with the CNA community to anticipate future changes and impacts that NVD may undergo.
The letter noted that ISPAB will “continue to track the status of efforts on NVD” and will share future observations and recommendations with NIST.