NIST Overhauls Software Vulnerability Management to Prioritized Approach

The U.S. National Institute of Standards and Technology (NIST) is comprehensively overhauling its software vulnerability management system into a 'prioritized management' framework. Instead of analyzing every vulnerability individually as before, it plans to focus on managing those with a high likelihood of being exploited in actual hacking attacks or those capable of causing significant damage. This measure is intended to effectively respond to the recent surge in software vulnerability reports. NIST is modifying its National Vulnerability Database (NVD) operational methods, transitioning to a 'prioritized management' system based on actual exploitability and impact. NIST is adjusting the NVD's vulnerability data enrichment strategy and will shift from its previous approach of providing the same level of analysis for all CVEs (Common Vulnerabilities and Exposures) to concentrating its analytical capabilities on the most critical vulnerabilities. This reflects the difficulty for the existing central agency to cope with the deluge of reports due to the spread of AI-based tools, and the reality that vulnerabilities actually used in attacks are a very limited subset of the rapidly growing total.

Going forward, NIST will prioritize vulnerabilities for focused management, including those listed in CISA's KEV (Known Exploited Vulnerabilities) catalog, vulnerabilities in products used by U.S. federal government and public sector agencies, and vulnerabilities in core software.

There are growing calls to shift the vulnerability management paradigm from 'count-centric' to 'risk- and context-centric.' The AI-induced surge in vulnerabilities questions the effectiveness of existing management methods. A transition to 'exploit-based and context-based management' is required, which involves prioritizing vulnerabilities based on their actual use by attackers, how they connect to an organization's asset structure, and the potential damage from attack scenarios. AI serves as a tool for both accelerating attack and discovering more vulnerabilities simultaneously. It can also be used to combine vast lists of vulnerabilities, asset information, and attack logs to calculate the most dangerous vulnerabilities for an organization and the priority for applying patches. Industry experts point out that as AI accelerates vulnerability 'discovery,' defense teams will struggle to maintain balance unless they automate 'prioritization' and 'sorting' with AI as well.

NIST's latest decision fundamentally questions the role the U.S. has played in public vulnerability infrastructure. While CVE and NVD remain the basic framework for vulnerability management, their position as the 'ultimate standard defining the meaning of global vulnerabilities in one place' is becoming unsustainable.