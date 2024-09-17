Budget cuts are partially responsible for CVE analysis issues. As noted by Security Magazine, NIST funding was cut by 12% this year, making it more difficult for the agency to enrich CVEs. In practice, the NVD is effectively a downstream consumer of CVE data — while the number of CVEs found and reported remains steady, NIST’s ability to assess and enrich these vulnerabilities has been significantly reduced.

The sheer number of reported vulnerabilities also poses a problem for analysis efforts; Flashpoint research found that NIST reported 33,137 vulnerabilities in 2023. In part, rising numbers are tied to improved detection capabilities. As companies expand security efforts with cloud-based technologies and AI-enabled tools, they’re better able to pinpoint potential threats. As a result, bigger numbers aren’t always indicative of increased risk, but they do speak to a growing number of potential attack paths.

NIST does have a plan to clear the backlog. According to USASpending.gov, the government has awarded an USD 860,000 contract to Analygence for cybersecurity analysis and email support. Analysis efforts were slated to start June 3, and NIST hopes to be back on track by September 2024. While the contract is slated to end as of December 2024, the agency has an option to extend services into July 2025.