Cyber Security News

NIST Declares Pre-2018 CVEs Will Be Labeled as ‘Deferred’

The National Institute of Standards and Technology (NIST) has announced that all Common Vulnerabilities and Exposures (CVEs) with a publication date before January 1, 2018, will now be marked with a “Deferred” status within the National Vulnerability Database (NVD).

This policy shift, designed to optimize NVD enrichment efforts for newer vulnerabilities, reflects the growing challenges of managing increasing cybersecurity vulnerabilities.

Deferred Status

The deferred status will apply to CVEs published before 2018, indicating that NIST does not plan to prioritize updates to NVD enrichment or initial enrichment data for these records due to their age.

These records will now display a banner on their CVE detail pages, clearly communicating their deferred classification.

This decision was driven by the need to focus resources on the most relevant and critical vulnerabilities, particularly as the volume of new CVEs has surged.

NIST has clarified that while these older CVEs will not be actively updated, requests for updates to metadata on these records will still be accepted and reviewed.

Should new information surface that necessitates updates to a deferred CVE’s enrichment data, the NVD team will prioritize such requests as time and resources allow.

Notably, vulnerabilities designated as Known Exploited Vulnerabilities (KEVs) will be prioritized regardless of their deferred status.

Rising Challenges in Vulnerability Management

The announcement follows years of increasing pressure on NIST’s NVD operations.

According to updates provided by NIST, in 2024 alone, CVE submissions jumped by 32%, exacerbating an already growing backlog.

Despite processing incoming CVEs at pre-slowdown rates in early 2024, the sheer volume of new submissions has outpaced the system’s ability to keep up.

This underscores the need for process improvements and automation through machine learning to manage vulnerabilities efficiently.

NIST officials also highlighted the importance of the NVD in safeguarding the nation’s infrastructure. Given the rising threat landscape, prioritizing newer vulnerabilities is critical to ensuring the most impactful issues are addressed swiftly.

The transition to marking pre-2018 CVEs as “Deferred” will be implemented gradually over several nights to minimize disruptions.

NIST has also emphasized its ongoing efforts to modernize the NVD. These efforts include deploying machine learning technologies to automate processing tasks and updating system APIs to version 2.2.2 for enhanced functionality and stability.

Additionally, NIST is actively enhancing its collaborations with Authorized Data Publishers (ADPs) to provide richer metadata for CVE records and improve visibility into vulnerability details.

Plans are underway to retire and replace legacy data feeds with APIs reflecting updated data formats, further integrating modern standards like CVSS v4.0.

This decision signals a shift in cybersecurity data management strategies amidst the evolving threat landscape. NIST’s policy highlights the importance of resource prioritization while ensuring critical vulnerabilities continue to receive timely attention.

As NIST moves forward with efficiency improvements and modernization efforts, this transition aims to strike a balance between managing growing data volumes and preserving the integrity of the national cybersecurity database.

For organizations relying on the NVD, adapting to these changes will be essential to leveraging the database effectively. The deferred status offers transparency while allowing entities to focus their efforts on addressing newer, more relevant vulnerabilities.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

New Advanced Phishing Attack Exploits Discord to Target Crypto Users

Check Point Research has uncovered a sophisticated phishing campaign that leverages Discord to target cryptocurrency…

37 seconds ago

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…

33 minutes ago

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…

37 minutes ago

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport while…

45 minutes ago

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics sector,…

50 minutes ago

SonicWall Unveils New Firewalls and Comprehensive Managed Cybersecurity Service

SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity service…

55 minutes ago