NIST to Implement 'Deferred' Status for Outdated Vulnerabilities in the National Vulnerability Database (NVD)

The National Institute of Standards and Technology (NIST) has introduced a new policy regarding the prioritization of vulnerabilities listed in the National Vulnerability Database (NVD). Under this change, vulnerabilities cataloged before January 1, 2018, will be classified as “deferred,” signaling that NIST no longer plans to prioritize updates for these vulnerabilities. This shift in approach is a response to the growing number of vulnerabilities that need attention and the increasing pressure on NIST’s resources to manage them. Here’s a breakdown of what this change means for security professionals and organizations.

NIST’s New ‘Deferred’ Status: Key Takeaways

NIST has officially announced that all Common Vulnerabilities and Exposures (CVEs) published before January 1, 2018, will be marked with a “deferred” status in the National Vulnerability Database (NVD). This change aims to streamline the NVD and better allocate resources to current, active threats.

The NVD serves as a comprehensive database that tracks vulnerabilities in software and hardware products. CVEs are a critical part of the database, offering detailed information about security flaws. Until now, older vulnerabilities have continued to receive updates, even though many are less relevant today.

The new deferred status will be prominently displayed on CVE detail pages. According to NIST, this move will “indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age.” In simpler terms, it signals that older vulnerabilities will no longer be updated regularly unless new, critical information surfaces.

Despite this change, NIST assured that the deferred status does not diminish the importance of these vulnerabilities. They emphasized that organizations should continue to address and remediate any outdated vulnerabilities within their network.

The decision to implement this system comes amid a significant increase in the number of vulnerabilities over recent years. Last year, NIST outlined plans to address a growing backlog of CVEs that have yet to be analyzed thoroughly. However, these efforts have been complicated by job cuts and a lack of resources, making it harder to keep up with the influx of vulnerabilities.

To maintain transparency, NIST will still accept requests for updates to CVE metadata, especially if compelling new information warrants an update. However, only the most severe or pertinent cases will be prioritized, based on the resources available.

Security experts, like Thomas Richards from Black Duck, stress that this administrative change should not lead organizations to ignore outdated vulnerabilities. While they may no longer be actively updated in the NVD, they still represent potential security risks that must be addressed.

What Undercode Says:

As the number of vulnerabilities continues to rise at an exponential rate, organizations and governmental bodies like NIST must adapt their approach to managing them. By shifting older CVEs to a deferred status, NIST is making a strategic decision to focus its resources on active vulnerabilities that could pose a more immediate threat. This move seems to be a necessary step given the increased workload NIST has faced with a massive backlog of unresolved issues.

It’s important to note that while the deferred status implies that older vulnerabilities will not be actively updated or enriched, it does not mean they are any less dangerous. Many legacy CVEs may still represent significant security threats, especially for organizations that have not yet mitigated them.

The deferred status also points to a larger issue in the cybersecurity landscape—resource constraints. NIST’s ability to keep up with vulnerabilities is hindered by budget cuts and a limited workforce. These systemic challenges reflect the broader difficulties faced by cybersecurity organizations in keeping pace with emerging threats.

This change will likely have a mixed reception. On the one hand, it could help NIST prioritize more relevant, current vulnerabilities. On the other hand, some organizations might feel that they’re being left to deal with old vulnerabilities without the necessary updates and support.

Ultimately, the responsibility falls on security teams within organizations to remain vigilant. As Thomas Richards from Black Duck highlighted, even though older vulnerabilities may not be actively tracked in the NVD, they should not be ignored. Vulnerabilities that are marked as deferred may still require patches and remediations. In this environment, proactive risk management will be key to staying ahead of potential threats.

With the shift towards deferred status for older CVEs, it’s clear that NIST is attempting to refine its approach to vulnerability management, but it also highlights the increasing complexity of tracking and addressing cybersecurity risks. As organizations continue to navigate this evolving landscape, they will need to remain diligent in their efforts to protect their infrastructure from both new and old vulnerabilities.

Fact Checker Results:

NIST’s decision to mark older CVEs as “deferred” aligns with the growing volume of vulnerabilities in the NVD and limited resources available for analysis.
The deferred status does not affect the severity of older vulnerabilities, but it shifts the burden of responsibility for addressing them to organizations.
Security experts agree that organizations should not ignore deferred vulnerabilities but continue to remediate them as needed.