In our latest Distilling Cyber Policy podcast episode, Alex Botting and Jen Ellis from the Center for Cybersecurity Policy & Law are joined by John Banghart, Senior Director at Venable LLP, and Kent Landfield, a founding member of the Common Vulnerabilities Exposures (CVE) program and bonafide cybersecurity industry veteran. Their discussion delves into the latest developments and ongoing debate around the National Vulnerability Database (NVD).

The NVD is a U.S. government repository of vulnerability data tasked with enriching the Common Vulnerability Exposures (CVE) list, which is used to identify software vulnerabilities in the wild. The NVD augments the CVE list with additional information on each vulnerability,  including things like the Common Vulnerability Scoring System (CVSS), vulnerability types - known as Common Weakness Enumeration (CWE), and applicability statements - know as Common Platform Enumeration (CPE). Originally created in 1999, it gained its current name in 2005 and is maintained by the National Institute of Standards and Technology (NIST). The NVD is used by many vulnerability assessment and management tools to automate the discovery and remediation of security vulnerabilities affecting public and private organizations’ alike. 

John and Kent tell the story of NVD from its origins as a research-centric program through to its growth into a global operation and some of the more recent challenges it faces when it comes to efficiency and resourcing constraints. Jen and Alex dig into how to strategically address the NVD moving forward, especially with the backlog of vulnerabilities that have existed since February, totaling over 9,000 CVEs that remain unanalyzed. Please note in, since we recorded this episode, the Cybersecurity and Infrastructure Agency (CISA) announced the creation of ‘Vulnrichment’, a new project that aims to fill the CVE enrichment gap created by NVD’s recent slowdown. 

This week’s news segment features a brief recap of RSA (the world’s biggest cybersecurity conference), where the U.S State Department’s released their first International Cyberspace and Digital Policy Strategy and CISA released their Secure by Design pledge. These international efforts build upon the discussion in our episode with GCHQ’s Shehzad Charania.

Jen also flags that the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act came into effect in April, and that the UK has open consultations on a code of practice for software vendors, and a code of practice for cybersecurity of AI.  In lieu of our trivia segment, we are joined by the wonderful Steve Kelly of the Institute for Security and Technology to learn more about their Inaugural Cyber Policy Awards. 

You can find the latest Distilling Cyber Policy episode on Spotify and Apple. As always, if you would like to submit cyber policy trivia, or have topic ideas for upcoming episodes, please email iaj01@venable.com. 

‍