NIST’s Mismanagement of the National Vulnerability Database: A Critical Review

Key Takeaways

• The National Vulnerability Database (NVD) fell into a severe backlog after its enrichment support contract lapsed in February 2024, leaving the program understaffed for months.
• By the end of 2025 the backlog exceeded 27,000 unprocessed vulnerabilities, with projections of >60,000 new reports annually by 2026.
• The Department of Commerce Office of Inspector General (OIG) identified four core failures: lack of a strategic plan, inefficient enrichment processes (especially redundant severity scoring), overlapping work with CISA’s Vulnrichment program, and poor stakeholder communication.
• OIG recommendations include creating a strategic and backlog‑management plan, eliminating duplicate severity scoring, coordinating with CISA, improving external contribution pathways, and establishing a clear communication strategy.
• NIST must submit a formal action plan by July 25, 2026 and has already announced a shift to prioritize enrichment only for the most critical vulnerabilities and to rely on externally supplied severity scores.
• Without implementing these changes, the NVD’s ability to support automated defenses, vulnerability prioritization, and federal compliance will continue to deteriorate, eroding public trust.

Background and Purpose of the NVD
The National Vulnerability Database (NVD), launched in 2005 by the National Institute of Standards and Technology (NIST), serves as the U.S. government’s central repository for cybersecurity vulnerability information. When researchers or vendors discover a flaw, they submit a report through the Common Vulnerabilities and Exposures (CVE) program. NIST then “enriches” each raw CVE entry by adding severity scores, affected product versions, and other contextual details. This enriched data enables security teams to automate defenses, prioritize remediation efforts, and meet federal compliance requirements such as those mandated by the Federal Information Security Modernization Act (FISMA).

How the Crisis Unfolded
The current NVD crisis began in February 2024 when NIST’s enrichment support contract expired. The analysts who perform the enrichment work are contractors, and despite having two years’ notice that a new contractor would be needed, NIST failed to secure a replacement in time. Consequently, the NVD program operated with inadequate staffing until late November 2024. The situation was exacerbated when the Cybersecurity and Infrastructure Security Agency (CISA) did not renew its financial support for the NVD in 2024, and the NVD‑overseeing division within NIST delayed requesting replacement funds from internal budgets. By the time a new contract was finalized and a public pledge was made to clear the backlog by September 2024, roughly 13,000 vulnerabilities remained unprocessed. By the end of 2025 the backlog had swollen to more than 27,000 entries. The OIG projects that annual vulnerability reports will surpass 60,000 in 2026—a nearly tenfold increase over the past decade—further straining NIST’s capacity to keep pace.

OIG’s Findings: Lack of Strategic Planning
The Office of Inspector General identified four primary shortcomings in NIST’s management of the NVD. First, NIST operated without a formal strategic plan for the database, a fact the agency confirmed to investigators. A strategic plan would have outlined long‑term goals, resource requirements, and risk mitigation strategies, especially given the known growth in vulnerability disclosures. Without such a roadmap, NIST reacted ad hoc to staffing gaps and funding shortfalls, leading to the prolonged enrichment contract lapse and the ensuing backlog.

OIG’s Findings: Inefficient Enrichment Processes
Second, the OIG found that NIST’s enrichment workflow was inefficient. Two tasks constituted the bulk of the workload: calculating severity scores and mapping affected product versions. However, nearly 80 percent of incoming CVE submissions already included a severity score from the submitting party, and CISA had been independently providing scores as well. Consequently, NIST’s routine severity‑score calculation added little value while consuming significant analyst time. The redundancy not only slowed processing but also increased the likelihood of inconsistencies between NIST‑derived scores and those supplied by external authorities.

OIG’s Findings: Overlap with CISA’s Vulnrichment Program
Third, NIST and CISA were running two overlapping vulnerability enrichment initiatives with minimal coordination. In May 2024, CISA launched its own “Vulnrichment” program, which used the same government contractor that NIST relied upon for enrichment. In many instances, both agencies performed identical enrichment steps on the same CVEs, duplicating effort and wasting resources. The lack of a clear division of labor or data‑sharing protocol meant that stakeholders received conflicting or redundant information, undermining the NVD’s role as a single source of truth.

OIG’s Findings: Poor Stakeholder Communication
Fourth, the OIG criticized NIST’s communication with NVD stakeholders as inadequate and lagging. Official updates about staffing levels, backlog status, and process changes were infrequent or unclear, leaving federal agencies, private‑sector security teams, and international partners uncertain about the reliability of the NVD data. Poor communication eroded trust and hampered the ability of downstream users to plan remediation actions effectively, especially during periods of heightened vulnerability disclosure.

OIG’s Recommendations for Remediation
To address these issues, the OIG issued a set of actionable recommendations. NIST should:

1. Develop a strategic plan for the NVD that defines mission objectives, performance metrics, and a roadmap for scaling enrichment capabilities.
2. Create a backlog‑management plan with concrete milestones, resource allocations, and regular progress reporting to ensure the existing backlog is reduced and future inflow is handled promptly.
3. Eliminate duplicate severity scoring by relying on scores provided by CVE Numbering Authorities (CNAs) and CISA, reserving NIST’s effort for cases where no external score exists.
4. Coordinate with CISA to delineate responsibilities, avoid overlapping enrichment work, and share data streams efficiently—potentially through a joint vulnerability enrichment framework.
5. Improve external contribution pathways to allow researchers and vendors to submit enriched data directly, reducing the burden on NIST analysts.
6. Establish a robust stakeholder communication strategy that includes regular status reports, transparent incident notifications, and accessible channels for feedback and inquiries.

NIST has been given until July 25, 2026 to submit a formal action plan detailing how it will implement these recommendations and begin remediation efforts.

NIST’s Interim Response and Future Direction
A month before the OIG report’s public release, NIST announced an interim shift in its NVD enrichment approach. Moving forward, the agency will continue to ingest all new CVE identifiers into the database but will prioritize enrichment for only the most critical vulnerabilities: those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, flaws affecting software used by the U.S. federal government, and issues impacting critical infrastructure components. For all other CVEs, NIST will limit enrichment to basic metadata and will cease routine severity‑score calculation, instead adopting scores supplied by CNAs and CISA. This targeted strategy aims to concentrate limited analyst resources on vulnerabilities that pose the greatest immediate risk while reducing unnecessary duplication of work.

Conclusion: The Path Forward for the NVD
The NVD’s current predicament underscores the challenges of maintaining a vital national cybersecurity asset amid exponential growth in vulnerability disclosures. The OIG’s analysis makes clear that the problems are not merely staffing gaps but systemic deficiencies in planning, process efficiency inter‑agency coordination, and communication. By heeding the OIG’s recommendations—particularly the adoption of a strategic plan, the elimination of redundant scoring, and stronger collaboration with CISA—NIST can restore the NVD’s reliability as a foundational tool for automated defense, risk prioritization, and regulatory compliance. Timely execution of the required action plan by the July 2025 deadline will be essential to prevent further erosion of public trust and to ensure that the nation’s cybersecurity defenders have timely, accurate vulnerability information at their disposal.