NIST Explains Why It Failed to Clear CVE Backlog

NIST says all known exploited CVEs in the backlog have been addressed, but admitted that clearing the entire backlog by October was optimistic.

NIST on Wednesday shared an update on its progress in clearing the CVE backlog in the National Vulnerability Database (NVD) and explained why it was not able to meet a self-imposed deadline.

NIST revealed in February that delays should be expected in the analysis of CVE identifiers in the NVD as it was working on improving the program.

There was a backlog of over 18,000 vulnerabilities over the next few months, but NIST announced in late May that it had awarded a contract to Analygence for additional processing support for the NVD. It also said that it expected to clear the entire backlog by the end of the fiscal year (September 30).

However, vulnerability management firm VulnCheck reported in late September that 72% of the over ...