Key Takeaways
- The Department of Commerce inspector general found that NIST’s management of the National Vulnerability Database (NVD) suffers from poor planning, operational inefficiencies, duplicated effort with CISA, and inadequate communication.
- A backlog of unprocessed security flaws grew from ~13,000 in June 2024 to over 27,000 by the end of 2025 after the enrichment contract lapsed in February 2024.
- NIST’s severity‑score calculations match independent assessments only ~12 % of the time, and most scores are already supplied by vendors, making much of the work redundant.
- Manual creation of standardized product identifiers consumes ~80 % of analysts’ time, slowing backlog reduction.
- CISA’s Vulnrichment program, launched May 2024, duplicated at least 21,000 NVD entries, wasting roughly $200 k.
- Over 50 cybersecurity professionals protested NIST’s lack of transparency in an open letter that went unanswered.
- NIST has narrowed the NVD’s focus to vulnerabilities in CISA’s KEV catalog, federal‑government software, and critical software under Executive Order 14028.
- The inspector general issued six recommendations—long‑term planning, backlog‑clearance goals, reducing unnecessary scoring, streamlining product‑identification, coordinating with CISA, and improving user communication—all accepted by NIST, which must submit an implementation plan by late July.
Overview of Report Findings
The Department of Commerce inspector general’s report, released Thursday, details systemic shortcomings in how the National Institute of Standards and Technology (NIST) manages the National Vulnerability Database (NVD). Auditors cite a lack of strategic planning, inefficient operational practices, duplicate work with another federal program, and a failure to keep users informed. These problems have allowed a growing backlog of unprocessed security flaws to persist, undermining the database’s value to government and private‑sector cybersecurity professionals who rely on it to prioritize patching efforts.
Role and Importance of the NVD
Since 2005, NIST has maintained the NVD as a central repository for information about computer security vulnerabilities. Each entry includes a description, severity rating (often using the CVSS scale), and a list of affected products. Cybersecurity analysts use this enriched data to triage threats, decide which patches to apply first, and allocate limited resources effectively. The database’s credibility hinges on timely, accurate enrichment; delays or inaccuracies can leave critical flaws unaddressed longer than necessary.
Backlog Growth and Missed Targets
The enrichment contract that funds the NVD’s value‑added work lapsed in February 2024, triggering a backlog that has only worsened. Auditors noted the backlog rose from roughly 13,000 unprocessed flaws in June 2024 to more than 27,000 by the close of 2025. NIST had publicly pledged in May 2024 to eliminate the backlog by September 2024, aiming to process 6,200 flaws per month—a target never met historically, as the agency’s highest monthly output had been about 5,000. The gap between promise and performance highlights a fundamental planning deficit.
Inefficiencies in the Enrichment Process
A core inefficiency lies in how NIST analysts enrich vulnerability records. Investigators found that analysts devote about 80 % of their time to two tasks: calculating severity scores and determining which products are affected. This heavy focus on manual enrichment creates a bottleneck that slows overall throughput. The inspector general’s office tested NIST’s severity scores against independent evaluators and found agreement only 12 % of the time, raising concerns about the reliability and consistency of the agency’s scoring methodology.
Severity Score Calculation Problems
Compounding the inefficiency, the report reveals that nearly 80 % of vulnerability submissions already include severity scores supplied by the software vendors responsible for the flawed code. Consequently, NIST’s duplicate scoring effort often adds little new information while consuming analyst time and introducing variability. The inspector general recommended scaling back NIST’s severity‑score work over the next two years, estimating a saving of roughly $800,000 that could be redirected to higher‑impact activities such as backlog reduction or tool development.
Manual Product Identification Bottleneck
Identifying affected products requires analysts to map vulnerability data to standardized product identifiers—a process that remains largely manual and time‑consuming. This step is a major contributor to the analysts’ 80 % workload on enrichment tasks. Although NIST is developing automated tools to accelerate product‑identification, the current manual approach continues to impede progress on clearing the backlog and limits the agency’s ability to scale operations efficiently.
Duplication with CISA’s Vulnrichment Program
The inspector general uncovered significant overlap between NIST’s NVD enrichment and the Cybersecurity and Infrastructure Security Agency’s (CISA) Vulnrichment initiative, launched in May 2024. Because the two programs operated without coordination, NIST analysts repeatedly performed work that CISA analysts had already completed, and both agencies even contracted the same vendor for portions of the effort. Auditors identified at least 21,000 duplicated entries between May 2024 and December 2025, representing an estimated waste of $200,000 in federal funds.
Communication Failures and Stakeholder Frustration
Transparency problems have exacerbated the NVD’s woes. In April 2024, more than 50 cybersecurity professionals sent an open letter to Congress protesting NIST’s opacity about the database’s challenges and requesting clearer updates. Neither NIST nor the Department of Commerce responded to the letter, leaving the community feeling ignored. This lack of outreach has hindered collaboration, prevented external groups from offering assistance, and eroded trust in the federal vulnerability‑management ecosystem.
Shift in NVD Priorities and Broader Context
Amid the turmoil, NIST announced a narrowed focus for the NVD: prioritizing vulnerabilities appearing in CISA’s Known Exploited Vulnerabilities (KEV) catalog, software used by the federal government, and critical systems highlighted under Executive Order 14028. This strategic narrowing aims to concentrate limited resources on the most pressing threats. Meanwhile, the broader vulnerability‑listing landscape remains unsettled; the Common Vulnerabilities and Exposures (CVE) program—run by CISA—recently avoided shutdown through an 11‑month contract extension, prompting the emergence of alternative databases from European nonprofits and private firms seeking better coordination.
Recommendations and NIST Response
The inspector general issued six concrete recommendations: (1) develop a long‑term plan for the NVD; (2) establish a backlog‑clearance roadmap with measurable milestones; (3) reduce unnecessary severity‑score work; (4) streamline or automate the product‑identification process; (5) institute immediate coordination with CISA to eliminate duplicated effort; and (6) improve communication with users through regular updates and outreach. NIST concurred with all recommendations and affirmed that it is actively working on each. The agency must deliver a detailed implementation plan to the inspector general by late July, outlining how it will address the identified shortcomings.
Outlook and Next Steps
If NIST follows through on the accepted recommendations, the NVD could see measurable improvements in processing speed, data quality, and stakeholder confidence within the next fiscal year. Key milestones will include the rollout of automated product‑identification tools, a revised scoring workflow that leverages vendor‑provided scores, joint operational protocols with CISA, and a transparent communication cadence—such as monthly status reports and quarterly user forums. Success will hinge on sustained leadership commitment, adequate funding for tooling and staff training, and vigilant oversight to prevent the recurrence of planning gaps and duplicated effort. The coming months will be critical in determining whether the federal vulnerability‑management system can regain its role as a reliable, timely resource for defending the nation’s digital infrastructure.