The National Institute of Standards and Technology (NIST) has announced a significant change in its approach to cybersecurity vulnerabilities. All Common Vulnerabilities and Exposures (CVEs) published before January 1, 2018, will now be marked as ‘Deferred’ in the National Vulnerability Database (NVD). This decision aims to streamline resource allocation by indicating that older vulnerabilities will not be prioritized for updates, as they are considered to be well-documented and mitigated by routine patch management.
NIST stated, “All CVEs with a published date prior to 01/01/2018 will be marked as Deferred within the NVD dataset. We are assigning this status to older CVEs to indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age.” A notification banner will be displayed on the CVE Details Pages of the affected vulnerabilities.
This strategic pivot, expected to take place over several nights, will allow NIST to direct its resources towards emerging threats. Jason Soroko, Senior Fellow at Sectigo, commented that this decision minimizes noise and sharpens the focus on new exploits, while also placing the responsibility for legacy systems squarely on the organizations themselves.
Ken Dunham, Cyber Threat Director at Qualys, welcomed this reallocation of resources, emphasizing that managing vulnerabilities has become increasingly complex as organizations must deal with a wider array of applications and associated patches. The marking of older vulnerabilities as deferred signals the growing challenge organizations face in managing and prioritizing their own risks, especially for high-value assets exposed to attack.