{"id":180977,"date":"2026-01-23T11:16:00","date_gmt":"2026-01-23T16:16:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/23\/nist-is-rethinking-its-role-in-analyzing-software-vulnerabilities\/"},"modified":"2026-01-23T12:15:10","modified_gmt":"2026-01-23T17:15:10","slug":"nist-is-rethinking-its-role-in-analyzing-software-vulnerabilities","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/23\/nist-is-rethinking-its-role-in-analyzing-software-vulnerabilities\/","title":{"rendered":"NIST is rethinking its role in analyzing software vulnerabilities"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/nist-cve-vulnerability-analysis-nvd-review\/810300\/\">NIST is rethinking its role in analyzing software vulnerabilities<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/nist-cve-vulnerability-analysis-nvd-review\/810300\/\">https:\/\/www.cybersecuritydive.com\/news\/nist-cve-vulnerability-analysis-nvd-review\/810300\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-23 11:16:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>        Listen to the article<br \/>\n        5 min<\/p>\n<p>            This audio is auto-generated. Please let us know if you have feedback.<\/p>\n<p>The National Institute of Standards and Technology is reevaluating its role in analyzing software vulnerabilities as it tries to meet skyrocketing demand for vulnerability analysis and reassure partners about the government\u2019s continuing commitment to the program that catalogs those flaws.<br \/>\n\u201cWe\u2019ve been doing more and more thinking about the [National Vulnerability Database] and, strategically, how we\u2019re planning on moving forward,\u201d Jon Boyens, the acting chief of NIST\u2019s Computer Security Division, told members of the agency\u2019s Information Security and Privacy Advisory Board during a quarterly meeting on Thursday.<\/p>\n<p>NIST\u2019s strategic review of the NVD \u2014 which adds detailed information to flaws listed in the federally funded Common Vulnerabilities and Exposures catalog \u2014 comes as cybersecurity experts increasingly question the government\u2019s role in managing the CVE ecosystem. NIST for years has been unable to keep up with the flood of vulnerabilities requiring analysis, and a 2025 controversy over a near-lapse in government funding for the CVE catalog intensified concerns about the fate of a critical cybersecurity resource.<br \/>\n\u201cWe\u2019ve been kind of caught on our heels for the last year and a half,\u201d Boyens, whose division manages the NVD, told board members on the second day of their quarterly meeting.<br \/>\nFor years, Boyens said, vulnerabilities have been arriving in the database much more quickly than NIST can analyze them and provide detailed information about them, a process the agency calls \u201cenrichment.\u201d That work is \u201cvery labor-intensive\u201d and \u201cnot scalable to the amount of CVEs that we&#8217;re getting in there,\u201d Boyens explained. \u201cWe\u2019re fighting a losing battle. We recognize that.\u201d<br \/>\nTriaging flaws<br \/>\nTo solve this problem, NIST will begin prioritizing which vulnerabilities it enriches based on several factors, including whether a vulnerability appears in the Cybersecurity and Infrastructure Security Agency\u2019s Known Exploited Vulnerabilities catalog, whether it exists in software that federal agencies use and whether it exists in software that NIST defines as critical.<br \/>\n\u201cAll CVEs aren\u2019t equal,\u201d Boyens said. \u201cWe\u2019re in the process of defining that prioritization. We\u2019ve had an informal prioritization for a while. We want to formalize it now.\u201d<\/p>\n<p>NIST is also trying to shift expectations around enrichment by discouraging the use of the word \u201cbacklog\u201d for unenriched vulnerabilities. \u201cWe\u2019ll have to find another term,\u201d Boyens said. \u201cI don\u2019t think it serves our mission or our stakeholders to try to go back and enrich every CVE that is out there or that has ever been submitted.\u201d<br \/>\nShifting responsibility<br \/>\nAt the same time, NIST is reconsidering its role in the vulnerability analysis ecosystem. The agency intends to publish a strategy and implementation plan to guide this review, and once it gets hiring authority from the Trump administration, it will hire a program manager to lead the process.<br \/>\nAs part of the review, NIST will engage with its partners \u2014 other agencies, private companies, and independent researchers \u2014 to understand how they use the NVD and what kinds of information they want it to provide.<br \/>\n\u201cA lot of the things that we enrich the CVEs with, we\u2019ve been doing, but we actually don&#8217;t have an understanding if those are really useful,\u201d Boyens said.<br \/>\nThe review, he said, will involve \u201cboth finding out what the broader community needs and then where NIST fits in that ecosystem.\u201d<br \/>\nNIST\u2019s goal is to transfer the vulnerability-enrichment work to the CVE Numbering Authorities (CNAs), which validate CVEs and assign them unique identifiers. But before that can happen, Boyens said, NIST needs to write guidance for the CNAs on how to do enrichment.<br \/>\nWhen NIST finally transfers that work to the CNAs, Boyens said, it will represent \u201ca large reset\u201d for the agency, which has analyzed vulnerability data for more than 20 years. The NVD program has always been an outlier within NIST\u2019s cybersecurity portfolio, which consists mostly of research and standards-setting activities rather than operational projects.<br \/>\n\u201cOur foundation is research, development, and moving [the] application [of technology] out to the broader marketplace,\u201d Boyens said. \u201cThe operational side, we\u2019ve found very costly and outside of our bailiwick.\u201d<br \/>\n\u201cWe want to get back to what NIST\u2019s core functions are,\u201d he added.<br \/>\nCollaboration or competition?<br \/>\nDuring Thursday\u2019s meeting, advisory board members asked Boyens about other vulnerability-analysis projects that have sprung up in the wake of the near-collapse of the CVE program.<br \/>\nCISA, which funds the CVE database, has tried to demonstrate its commitment to the issue by launching its own \u201cVulnrichment\u201d project. But Boyens sounded skeptical of that effort, telling board members, \u201cI don&#8217;t think it\u2019s a solution to the [NVD] backlog. I think we\u2019ve found that there\u2019s some duplicative efforts there.\u201d NIST and CISA staff are planning to meet in the coming days to \u201cdo a better job of coordination,\u201d he added.<br \/>\nBoyens also expressed concern about a new European vulnerability database, the Global CVE Allocation System (GCVE), which launched in response to concerns about the U.S.-funded system. NIST plans to meet with GCVE\u2019s operators \u201cto make sure that we\u2019re not balkanizing the entire process throughout the community,\u201d Boynes said.<br \/>\nMeanwhile, the Commerce Department\u2019s inspector general is still auditing the NVD in response to concerns about the backlog. Boyens expressed hope that the audit, which he said had taken up \u201ca lot of our time,\u201d would \u201cbe concluding shortly.\u201d<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>NIST is rethinking its role in analyzing software vulnerabilities https:\/\/www.cybersecuritydive.com\/news\/nist-cve-vulnerability-analysis-nvd-review\/810300\/ Publish Date: 2026-01-23 11:16:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":180978,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/QNuO-fBp-E46tGD-XdI8kD2lg-5dyimByXNTt8i6Bo8\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9OSVNUX2NhbXB1c19zaWduLmpwZw==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[33,24,27],"class_list":["post-180977","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-computer-security","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/180977"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=180977"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/180977\/revisions"}],"predecessor-version":[{"id":180979,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/180977\/revisions\/180979"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/180978"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=180977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=180977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=180977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}