Advertisement
Subscribe to our daily newsletter.
Subscribe

Federal audit reveals NIST’s NVD is plagued by poor planning and duplication

A report from the Commerce Inspector General details how mismanagement allowed a backlog of 27,000 unprocessed security flaws to grow unchecked, while the agency duplicated work with a similar CISA program.

By

Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(NIST building / CC2.0)

A Department of Commerce inspector general report released Thursday found that the National Institute of Standards and Technology has mismanaged a critical cybersecurity vulnerability database through poor planning, inefficient operations, duplicate federal programs, and failure to communicate with users.

The National Vulnerability Database, maintained by NIST since 2005, collects information about computer security flaws and adds details like severity ratings and affected products. This information helps cybersecurity professionals across government and the private sector decide which security problems to fix first. In February 2024, the database’s enrichment contract lapsed, creating a backlog of unprocessed security flaws that has only grown worse.

The report identified the lack of strategic planning as a core problem. NIST leaders admitted they had no long-term plan for clearing the backlog, even as it grew from about 13,000 unprocessed security flaws in June 2024 to over 27,000 by the end of 2025.

NIST publicly promised in May 2024 that it would clear the backlog by September 2024, setting a goal of processing 6,200 security flaws per month, but the agency had never processed more than 5,000 per month in the past.

Advertisement

The report found major inefficiencies in how NIST enriches the information that is attached to the vulnerabilities. 

Analysts spend about 80% of their time on two tasks: calculating severity scores and identifying which products are affected. The inspector general’s office tested NIST’s severity scores and found they matched independent evaluators only 12% of the time. Also, nearly 80% of vulnerability submissions already include these scores from the companies that are responsible for the software. This means NIST is doing work that is often unnecessary and inconsistent. The inspector general proposed cutting back on severity score calculation work over the next two years, estimating that NIST would save $800,000 that it could redirect to other program areas.

Another efficiency problem highlighted is the program’s manual process for identifying affected products. Creating these standardized product identifiers takes a lot of time and keeps analysts from clearing the backlog. NIST is developing tools to make this faster, but it remains a major slowdown.

The report also found major duplication between two federal security programs. When the Cybersecurity and Infrastructure Security Agency launched its own Vulnrichment program in May 2024, there was no coordination between the agencies, leading to NIST analysts sometimes repeating work that CISA analysts had already completed. Additionally, the two agencies even hired the same contractor for portions of the same work. The inspector general found at least 21,000 cases of duplicated work between May 2024 and December 2025, wasting approximately $200,000 in the process.  

Communication failures have made the problems worse. In April 2024, over 50 cybersecurity professionals sent an open letter to Congress complaining that NIST was not being transparent about the database’s problems. Neither NIST nor the Department of Commerce answered the letter.

Advertisement

Vulnerability database programs managed by the federal government have been a point of contention for the cybersecurity community over the past two years. Earlier this year, NIST announced that it has narrowed its priorities for the NVD, focusing only on vulnerabilities in CISA’s KEV catalog, software used by the federal government, and critical software identified under Executive Order 14028.

A similar program that serves as a catalog of known security flaws, the Common Vulnerabilities and Exposures (CVE) list, has had similar issues over the past few years. That program, run by CISA, narrowly escaped a sudden demise when a last-minute, 11-month contract extension averted a shutdown in April 2025. Since then, several competing databases from European nonprofits and other private entities have been stood up in order to better coordinate how vulnerabilities are tracked, disclosed, and ultimately patched.

The inspector general recommended that NIST create a long-term plan for the database, set up a plan to clear the backlog with specific goals, cut back on unnecessary severity score work, make it easier for outside companies to help identify affected products, immediately start working with CISA to stop duplicating work, and develop a plan to communicate better with users.

NIST agreed with all six recommendations and said it is working on them. The agency must submit a plan showing how it will address these problems by late July.

You can read the full report here

Advertisement

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Director of the Federal Bureau of Investigation of the United States Kash Patel is seen in the Capitol near a meeting on the administration’s use of FISA authority on March 18, 2026. (Photo by Alex Kent/The Washington Post via Getty Images)

The surveillance law Congress can’t quit — and can’t explain

Congress overhauled Section 702 in 2024 with 56 changes. Now, as the law nears expiration, supporters and critics can’t even agree on what the numbers show.
By Tim Starks

Latest Podcasts

When iPhone exploits turn into commodities

From two weeks to three days: The KEV deadline debate

Can specialized security survive Daybreak and Mythos?

Why access brokers have stubbornly remained successful

Government

Technology

Threats

Policy