Vulnerability Management Experts Warn of Potential Supply Chain Security Crisis
A group of cybersecurity professionals have raised concerns about ongoing issues within the US National Vulnerability Database (NVD) that could potentially lead to a major supply chain security crisis. In an open letter sent to US Secretary of Commerce Gina Raimondo and members of Congress, 50 experts highlighted the need to address issues with the NVD and support the National Institute of Standards and Technology (NIST) in modernizing the program.
The letter, titled “A cybersecurity crisis in waiting: On the Need to Restore and Enhance Operations with the National Vulnerability Database,” urges Congress to investigate the problems with the NVD, assist NIST in restoring vulnerability enrichment, and aid in the modernization of the NVD program.
Concerns arose in early March when security researchers noticed a significant drop in vulnerability enrichment data uploads on the NVD website starting in mid-February. While vulnerability entries continued to be added to the database, many were not fully analyzed, leading to crucial metadata about CVEs not being included.
According to data from NIST, only 4398 of the 10,826 CVEs received this year have been analyzed. The issues appear to stem from a lack of resources, including funding and human resources.
In response to these challenges, NIST launched an industry consortium in late March to support the future running and funding of the NVD program. The signatories of the open letter emphasized the need to prioritize resolving the current NVD backlog to prevent any detrimental impact on the security researcher community and organizations worldwide.
The letter also outlined three immediate actions that Congress should take to support NIST:
– Investigate ongoing issues with the NVD
– Ensure NIST has the necessary resources to restore operations immediately
– Lay the groundwork for critical improvements to the service
To achieve these goals, the signatories provided several recommendations, including implementing stopgap processes for the NVD, establishing a plan to improve NVD processes, investigating NIST’s lack of transparency regarding operations, and ensuring sustained funding for NVD operations.
The signatories of the open letter represent individuals from various sectors, including tech giants like Google, open-source organizations like OpenSSF, and security vendors such as Chainguard, VulnCheck, and Okta. The experts emphasized the importance of maintaining the independence of the NVD while encouraging collaboration with industry stakeholders to address the vulnerabilities in the system.
