The federal agency that for much of the year has struggled to keep up-to-date a detailed database of vulnerabilities has caught up with a backlog of known security flaws that hadn’t been analyzed and is now processing all the new known bugs that are being sent in.

However, the National Institute of Standards and Technology (NIST) is still working to address the entire backlog of vulnerabilities.

In an update to the situation released this week, NIST – which had been hobbled by budget cuts early in the year – wrote that it now has a full team of analysts to address the massive amounts of Common Vulnerabilities and Exposures (CVEs) streaming into its systems and is addressing all Known Exploited Vulnerabilities (KEVs) that were backlogged.

The news should come as a relief to the threat intelligence researchers and cybersecurity vendors that depend on the information in NIST’s National Vulnerability Database (NVD) when analyzing threats and programming their commercial vulnerability scanners and other tools.

However, the work to address the entire backlog of vulnerabilities is still ongoing. NIST noted that it wouldn’t be able to meet its goal of clearing all exploited and unexploited vulnerabilities by the end of the year, writing that its “initial estimate of when we would clear the backlog was optimistic.”

Backlog Grew From Budget Cuts

The agency’s problems began when Congress early this year cut its budget by almost 12%, with NIST officials saying days later that the decision likely would lead to delays in analyzing the vulnerabilities coming into the database. In April, they said they were prioritizing the most significant security flaws for analysis.

The reaction was swift, with dozens of cybersecurity professionals in April sending a letter to Congress and Commerce Secretary Gina Raimondo urging them to restore NIST’s funding, create a plan to improve its operations, and ensure its independence.

“NVD plays a vital role in the information supply chain for security vulnerability management worldwide,” they wrote. “Our community uses CVE information distributed by NVD to find, prioritize, and fix vulnerabilities in critical systems before attackers try to exploit them. Many organizations rely solely on NVD provided severity scores to prioritize vulnerabilities and align remediation timelines accordingly.”

A Dwindling but Ongoing Issue

As late as last month, the backlog was still a problem. Vulnerability intelligence firm VulnCheck noted that the backlog had at one point reached more than 18,000 vulnerabilities and wrote in May that 93.4% of new bugs had not been analyzed by NIST between February and May. As of September 21, the statistic on unanalyzed vulnerabilities was at 72.4%.

To help address the backlog, NIST executives reached outside of the agency for help and proposed a public-private consortium to help analyze vulnerabilities as they’re submitted. The Authorized Data Publishers (ADP) program was created to bring in qualified outsiders to help enrich the CVE data. CISA stepped in as an APD to help NIST with the work.

VulnCheck wrote in September that “NVD’s embrace of CISA’s Vulnrichment as a data provider for CVSS enrichment has been a notable success.”

However, NIST executives in its update this week said the reason for the delaying in clearing the entire backlog was a conflict between their systems and those of ADPs.

“The data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance,” they wrote. “To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently.”

NIST in May also brought on cybersecurity firm Analygence as a contractor to help reduce the backlog.