How NIST fumbled management of the National Vulnerability Database

A US federal watchdog has outlined how the National Institute of Standards and Technology (NIST) failed to effectively manage the growing backlog of unprocessed cybersecurity vulnerabilities in the National Vulnerability Database (NVD).

How the NVD crisis unfolded

The NVD was established in 2005 and serves as a central repository for cybersecurity vulnerability data.

When security researchers or software vendors discover a flaw in a piece of software or hardware, they submit a report through the Common Vulnerabilities and Exposures program. NIST then takes that raw submission and “enriches” it with additional analysis, including severity scores and information about which specific product versions are affected.

The enriched data is what makes the NVD useful, because cybersecurity teams rely on it to automate their defenses, prioritize which vulnerabilities to fix first, and comply with federal requirements.

The current NVD crisis traces back to February 2024, when NIST’s enrichment support contract lapsed. (The NVD analysts who perform enrichment are contractors.)

According to the findings by the US Department of Commerce Office of Inspector General (OIG), NIST had two years’ notice that it needed a new contractor but still failed to have a replacement ready in time, leaving the NVD program without adequate staffing until late November 2024.

The situation was made worse due to the Cybersecurity and Infrastructure Security Agency (CISA) not renewing financial support for the program in 2024, and the division overseeing the NVD being slow to request replacement funds from within NIST, the report says.

By the time a new contract was in place and a public commitment had been made to clear the backlog by September 2024, the number of unprocessed vulnerabilities stood at around 13,000. By the end of 2025, the backlog had grown to more than 27,000 vulnerabilities.

“We project that in 2026 the yearly total of reported vulnerabilities will surpass 60,000. This represents a nearly tenfold increase from a decade ago, further challenging NIST’s ability to resolve the backlog,” the OIG noted.

The OIG’s verdict and recommendations

The OIG identified four main problems in how NIST has handled the situation:

• NIST did not have a strategic plan for the NVD (and has confirmed that to the investigators)
• NIST’s enrichment process was found to be inefficient: Two tasks made up most of the enrichment workload, and one of them (calculating severity scores) was largely unnecessary, since nearly 80 percent of vulnerability submissions already included a score from the submitting party, and CISA had also been providing scores independently.
• NIST and CISA are operating two overlapping vulnerability enrichment programs with little coordination between them. CISA launched Vulnrichment in May 2024, but both agencies used the same government contractor and, in many cases, completed the same enrichment tasks on the same vulnerabilities.
• NIST’s communication with NVD stakeholders is poor, and its official communications are lagging.

The OIG concluded that without significant changes to how the program is run, the NVD will not be able to fulfill its mission and public trust in the database will continue to erode.

To turn the ship around, the OIG advised NIST to create a strategic plan, establish a backlog management plan with clear milestones, reduce duplicative severity scoring, coordinate with CISA to eliminate overlapping work, improve the process for external parties to contribute to the database, and develope a proper stakeholder communication strategy.

NIST now has until July 25, 2026, to submit a formal action plan and start implementing the recommendations.

A month before the report was released, NIST announced that it would institute a new approach for populating and enriching the NVD: it would continue to add CVEs into it, but prioritize “enrichment” of only the most critical CVE-numbered security vulnerabilities (i.e., those added to CISA’s Known Exploited Vulnerabilities catalog, those affecting software used within the US federal government, and those affecting critical software).

It also said it would stop routinely calculating its own severity scores and instead rely on those provided by CVE Numbering Authorities.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!