NIST on Wednesday shared an update on its progress in clearing the CVE backlog in the  National Vulnerability Database (NVD) and explained why it was not able to meet a self-imposed deadline. 

NIST revealed in February that delays should be expected in the analysis of CVE identifiers in the NVD as it was working on improving the program. 

There was a backlog of over 18,000 vulnerabilities over the next few months, but NIST announced in late May that it had awarded a contract to Analygence for additional processing support for the NVD. It also said that it expected to clear the entire backlog by the end of the fiscal year (September 30).

However, vulnerability management firm VulnCheck reported in late September that 72% of the over 18,000 CVEs had yet to be analyzed, compared to 93% on May 19. Nearly half of the known exploited vulnerabilities (KEV) had also yet to be analyzed. 

In an update shared on Wednesday, NIST said it now has a full team of analysts on board and they are able to analyze all CVEs as they come in. The agency said the entire KEV backlog has been addressed.

However, NIST admitted that its initial estimate of September 30 for clearing the entire backlog was optimistic.

“This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance,” the agency explained. “To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently.”

NIST has not shared any estimate on when it expects the entire backlog to be cleared, but the agency promised to continue sharing updates on its progress. 

Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

Related: NIST Grants $3.6 Million to Boost US Cybersecurity Workforce

Related: NIST: No Silver Bullet Against Adversarial Machine Learning Attacks