NIST Declares Pre-2018 CVEs Will Be Labeled as ‘Deferred’

The National Institute of Standards and Technology (NIST) has announced that all Common Vulnerabilities and Exposures (CVEs) with a publication date before January 1, 2018, will now be marked with a “Deferred” status within the National Vulnerability Database (NVD).

This policy shift, designed to optimize NVD enrichment efforts for newer vulnerabilities, reflects the growing challenges of managing increasing cybersecurity vulnerabilities.

Deferred Status

The deferred status will apply to CVEs published before 2018, indicating that NIST does not plan to prioritize updates to NVD enrichment or initial enrichment data for these records due to their age.

These records will now display a banner on their CVE detail pages, clearly communicating their deferred classification.

This decision was driven by the need to focus resources on the most relevant and critical vulnerabilities, particularly as the volume of new CVEs has surged.

NIST has clarified that while these older CVEs will not be actively updated, requests for updates to metadata on these records will still be accepted and reviewed.

Should new information surface that necessitates updates to a deferred CVE’s enrichment data, the NVD team will prioritize such requests as time and resources allow.

Notably, vulnerabilities designated as Known Exploited Vulnerabilities (KEVs) will be prioritized regardless of their deferred status.

Rising Challenges in Vulnerability Management

The announcement follows years of increasing pressure on NIST’s NVD operations.

According to updates provided by NIST, in 2024 alone, CVE submissions jumped by 32%, exacerbating an already growing backlog.

Despite processing incoming CVEs at pre-slowdown rates in early 2024, the sheer volume of new submissions has outpaced the system’s ability to keep up.

This underscores the need for process improvements and automation through machine learning to manage vulnerabilities efficiently.

NIST officials also highlighted the importance of the NVD in safeguarding the nation’s infrastructure. Given the rising threat landscape, prioritizing newer vulnerabilities is critical to ensuring the most impactful issues are addressed swiftly.

The transition to marking pre-2018 CVEs as “Deferred” will be implemented gradually over several nights to minimize disruptions.

NIST has also emphasized its ongoing efforts to modernize the NVD. These efforts include deploying machine learning technologies to automate processing tasks and updating system APIs to version 2.2.2 for enhanced functionality and stability.

Additionally, NIST is actively enhancing its collaborations with Authorized Data Publishers (ADPs) to provide richer metadata for CVE records and improve visibility into vulnerability details.

Plans are underway to retire and replace legacy data feeds with APIs reflecting updated data formats, further integrating modern standards like CVSS v4.0.

This decision signals a shift in cybersecurity data management strategies amidst the evolving threat landscape. NIST’s policy highlights the importance of resource prioritization while ensuring critical vulnerabilities continue to receive timely attention.

As NIST moves forward with efficiency improvements and modernization efforts, this transition aims to strike a balance between managing growing data volumes and preserving the integrity of the national cybersecurity database.

For organizations relying on the NVD, adapting to these changes will be essential to leveraging the database effectively. The deferred status offers transparency while allowing entities to focus their efforts on addressing newer, more relevant vulnerabilities.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!