NIST Deprioritizes Pre-2018 CVEs as Backlog Struggles Continue
NIST, hobbled by budget cuts, spent much of last year trying to manage a growing backlog in its database of known security flaws that threat intelligence researchers and cybersecurity vendors depend on when analyzing and addressing cyberthreats.
In November, the National Institute of Standards and Technology said it finally had caught up with the known vulnerabilities and was working on new ones. In March, the government agency said it was processing incoming CVEs at about the rate it had before the backlog problems began mounting in the spring of 2024.
However, in the update last month, NIST officials said that the number of CVE submissions in 2024 had grown by 32% and the “prior processing rate is no longer sufficient to keep up with incoming submissions. As a result, the backlog is still growing.”
“We anticipate that the rate of submissions will continue to increase in 2025,” they wrote. “The fact that vulnerabilities are increasing means that the NVD [National Vulnerability Database] is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead.”
The plan is to improve the agency’s internal processes, including possibly using machine learning to automate some tasks, the officials added.
Older Vulnerabilities ‘Deferred’
This month, NIST took another step to address its growing challenges, saying that critical vulnerabilities submitted before 2018 are being marked as “deferred,” essentially put on the back burner to free up officials to spend more of their time with newer CVEs.
“We are assigning this status to older CVEs to indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age,” the agency wrote. “CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status. … We are doing this to provide additional clarity regarding which CVE records are prioritized.”
NIST will still accept and review requests to update the metadata sent in for the older CVE records and will prioritize them “as time and resources allow,” officials added.
After NIST announced the change, some 20,000 CVE entries were marked as deferred.
Shift in Managing Risk
The agency’s decision to deprioritize older vulnerabilities puts more responsibility on organizations to manage their own risks. Jonathan Luckett, a cybersecurity expert with the U.S. Secret Service and a University of Maryland professor, wrote on LinkedIn that the move “will definitely impact how orgs structure their vulnerability management programs especially those still operating legacy systems. While it makes sense to shift focus to newer threats, ‘deprioritized’ doesn’t mean ‘not dangerous.’ Risk-based prioritization just got even more important.”
Ken Dunham, cyberthreat director at Qualys’ threat research unit, said that given the rapid rise in the number of CVEs being reported, NIST’s decision shouldn’t come as a surprise.
“Organizations should take this action by NIST as an indicator of the challenge to manage and prioritize their own risk, especially for high-value assets and any assets with increased exposure to attack surface,” Dunham said. “Exploitation often occurs amongst more moderate and older vulnerabilities still in production, requiring more complex patching priorities for organizations to manage vulnerability risk ranging from zero-days and emergent risk to long-term likely exploitation from persistent actors.”
Aggressive Patch Management Needed
While it may be worrying that NIST is reducing the prioritization of some older CVEs, organizations should recognize that many of them remain on the list because updates to older vulnerabilities are infrequent, said Tim Mackey, head of software supply chain risk strategy at cybersecurity firm Black Duck.
“For practical purposes, I would view any organization who hasn’t patched or mitigated something that is now labeled as ‘Deferred’ as having an underperforming patch management or DevOps cybersecurity program,” Mackey said. “Let’s make this event a call to action for PSIRT [product security incident response] teams to both inventory all software and then triage all vulnerabilities with a ‘Deferred’ status.”
