Closing the Gaps: NIST NVD’s 2024 Efforts to Address the CVSS Backlog

Over the past year, the American National Institute of Standards and Technology (NIST) has undertaken significant initiatives to address the growing backlog of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). This growing backlog has been fueled by increasing software vulnerabilities and the challenges of managing data at scale, and has led to a significant increase in time from when a CVE is published to review, what impacted the CVSS, CPE assignment (the technologies, versions and configurations affected by the vulnerability), the description of the CVE, and any relevant reference links. This results in harming a security team’s ability to effectively mitigate vulnerable assets.

In this blog, I’ll take a look at NIST’s efforts to address the backlog, examine why it’s still not sufficient and show why CTEM is perhaps a better answer to addressing an increasingly challenging cyber landscape.

Early 2024: Tackling the CVE Backlog Head-On

In early 2024, NIST took decisive action to address the growing backlog of reviewing newly published CVEs and scoring them. Recognizing the critical need to prioritize security, NIST reassigned staff internally to focus on reducing the CVE review backlog. This move aimed to prioritize the analysis of active and critical vulnerabilities, particularly those listed in the Known Exploited Vulnerabilities (KEVs) catalog. By concentrating efforts on these high-impact vulnerabilities, NIST sought to mitigate immediate security risks and enhance the overall resilience of the cybersecurity landscape.

April 2024: Strengthening Partnerships and Expanding Capabilities

April 2024 marked a significant milestone for NIST as they formalized a $125 million partnership with cyber security firm Analygence. This collaboration was designed to bolster NIST’s data processing capabilities and streamline vulnerability workflows. Additionally, NIST announced partnerships with federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), to accelerate the analysis process and broaden the scope of vulnerability intelligence. These efforts were aimed at ensuring a more robust and efficient response to the ever-increasing volume of software vulnerabilities.

Mid-2024: Major Updates and Technological Advancements

NIST introduced several major updates to enhance the accuracy and efficiency of vulnerability assessments. One of the key updates was the adoption of the Common Vulnerability Scoring System (CVSS) version 4.0, which incorporates enhanced scoring models for vulnerabilities. This update aimed to provide more precise and reliable assessments of vulnerability severity. 

Additionally, NIST released API 2.0, a significant upgrade that streamlined data access for cybersecurity tools, making it easier for security platforms to integrate with the NVD. These technological advancements were crucial in ensuring that vulnerability data was both accurate and accessible.

November 2024: Substantial Progress and Ongoing Efforts

According to the latest update from NIST NVD, as of November 13, 2024, significant strides have been made in reducing the backlog of Common Vulnerabilities and Exposures (CVEs). NIST NVD says in their update that they now have a full team of analysts on board, they are efficiently processing all incoming CVEs, and have successfully cleared the backlog of Known Exploited Vulnerabilities (KEVs). 

But despite initial optimistic estimates, NIST NVD has shared that they are still grappling with data formats from Authorized Data Providers (ADPs) that require development of new systems for more efficient data processing to ensure ADP’s incoming data integrity. 

“Context is King” (Why CVSS Alone Falls Short)

The NVD team is clearly working hard to fill CVE scoring gaps. And while CVSS is an unquestionable consensus among security teams and provides a valuable framework for assessing vulnerability severity, it has inherent limitations: CVSS scores are calculated based on generalized metrics and don’t account for specific organizational factors, such as an enterprise’s architecture or the importance of certain assets. 

CVSS does not highlight how a vulnerability might be exploited in the context of a broader attack path, limiting its utility for comprehensive risk assessments. Some questions that are often raised but can never come up right from CVSS will be, “Can this CVE be exploited by an attacker trying to move laterally towards the organization’s most sensitive Database”? and  “Can an attacker escalate privileges using that CVE to reach one of our critical assets?”

These gaps play a key role in why many organizations adopt Gartner’s Continuous Threat Exposure Management (CTEM) framework. CTEM emphasizes prioritizing risks based on their potential impact, factoring in an organization’s unique environment context.

For example, when there are two assets with two different CVEs ranked “High”, a security team is ultimately required to “judge” which asset to patch first. Knowing that one vulnerable asset can potentially enable an attacker to progress toward a business operational critical asset (while the other can’t) is like a superpower in the hands of the security team. By that, mature organizations add another “layer” over the CVSS score and are then able to focus on what matters the most, and therefore, cut workloads and reduce the MTTR (Mean Time to Remediate) KPI.

The Bad News – It’s Just the Tip of the Iceberg

While security teams rely on vulnerability patching, keep in mind that CVEs aren’t the only thing to look for in your security program. A recent XM Cyber study found that 80% of security exposures stem from misconfigurations rather than CVEs. This emphasizes the importance of addressing all exposure types, not just vulnerabilities listed in the NVD​​​​. According to this research, surprisingly, only 1% of exposures are considered as Remote Code Execution (RCE) exploited CVEs.

Don’t Boil the Ocean, Just Heat the (Critical) Swamp

What defenders need is to prioritize vulnerabilities within the broader context of attack scenarios; they need to know how attackers might navigate through vulnerabilities and misconfigurations to compromise critical assets. These insights will enable them to focus their efforts on exposures that pose the most significant risk.

They also need to be able to prioritize threats based on their proximity to “crown jewels,” ensuring resources are directed toward safeguarding the most critical systems. Moreover, they shouldn’t just assess CVEs — they should include misconfigurations, lateral movement risks, and identity vulnerabilities to provide a full picture of an organization’s attack surface.

Conclusion: NIST’s Efforts and the Path Forward

NIST’s commitment to resolving the CVE backlog is commendable, and its actions are essential for improving global cybersecurity. However, CVEs alone do not paint the full risk picture. For defenders, focusing solely on CVSS scores without considering context — such as attack paths and critical assets — can lead to inefficient and incomplete security measures.

XM Cyber’s combined Continuous Exposure Management and Vulnerability Risk Management solutions address these challenges, empowering organizations to protect critical assets effectively. By integrating vulnerability management with exposure analysis, defenders can take proactive measures to safeguard their environments, aligning with both NIST’s progress and the evolving threat landscape.