Vulnerabilities

NIST's NVD Mismanagement Exposed

May 30, 2026 00:03 · 12 min read
NIST's NVD Mismanagement Exposed

NIST's National Vulnerability Database Mismanagement

A Department of Commerce inspector general report released in 2026 found that the National Institute of Standards and Technology (NIST) has mismanaged the National Vulnerability Database (NVD) through poor planning, inefficient operations, duplicate federal programs, and failure to communicate with users.

The NVD, maintained by NIST since 2005, collects information about computer security flaws and adds details like severity ratings and affected products. This information helps cybersecurity professionals across government and the private sector decide which security problems to fix first.

Backlog of Unprocessed Security Flaws

In February 2024, the database's enrichment contract lapsed, creating a backlog of unprocessed security flaws that has only grown worse. The report identified the lack of strategic planning as a core problem. NIST leaders admitted they had no long-term plan for clearing the backlog, even as it grew from about 13,000 unprocessed security flaws in June 2024 to over 27,000 by the end of 2025.

NIST publicly promised in May 2024 that it would clear the backlog by September 2024, setting a goal of processing 6,200 security flaws per month, but the agency had never processed more than 5,000 per month in the past.

Inefficiencies in NVD Enrichment

The report found major inefficiencies in how NIST enriches the information that is attached to the vulnerabilities. Analysts spend about 80% of their time on two tasks: calculating severity scores and identifying which products are affected. The inspector general's office tested NIST's severity scores and found they matched independent evaluators only 12% of the time.

Nearly 80% of vulnerability submissions already include these scores from the companies that are responsible for the software. This means NIST is doing work that is often unnecessary and inconsistent. The inspector general proposed cutting back on severity score calculation work over the next two years, estimating that NIST would save $800,000 that it could redirect to other program areas.

Duplication of Efforts

The report also found major duplication between two federal security programs. When the Cybersecurity and Infrastructure Security Agency (CISA) launched its own Vulnrichment program in May 2024, there was no coordination between the agencies, leading to NIST analysts sometimes repeating work that CISA analysts had already completed. Additionally, the two agencies even hired the same contractor for portions of the same work.

The inspector general found at least 21,000 cases of duplicated work between May 2024 and December 2025, wasting approximately $200,000 in the process.

Communication Failures

Communication failures have made the problems worse. In April 2024, over 50 cybersecurity professionals sent an open letter to Congress complaining that NIST was not being transparent about the database's problems. Neither NIST nor the Department of Commerce answered the letter.

Recommendations and Next Steps

The inspector general recommended that NIST create a long-term plan for the database, set up a plan to clear the backlog with specific goals, cut back on unnecessary severity score work, make it easier for outside companies to help identify affected products, immediately start working with CISA to stop duplicating work, and develop a plan to communicate better with users. NIST agreed with all six recommendations and said it is working on them.

The agency must submit a plan showing how it will address these problems by late July. The full report can be read here.

Conclusion

The mismanagement of the NVD has significant implications for the cybersecurity community, as it relies on the database to inform decision-making about which security problems to fix first. The report's findings and recommendations provide a roadmap for NIST to improve the database's operations and better serve the cybersecurity community.

  1. NIST must create a long-term plan for the database to ensure its sustainability and effectiveness.
  2. The agency must set up a plan to clear the backlog with specific goals and deadlines to ensure that the database remains up-to-date and relevant.
  3. NIST should cut back on unnecessary severity score work and focus on more critical tasks, such as identifying affected products.
  4. The agency must develop a plan to communicate better with users and stakeholders to ensure transparency and accountability.

By addressing these issues, NIST can improve the NVD and better support the cybersecurity community in its efforts to protect against security threats.

Source: CyberScoop

Source: CyberScoop

Powered by ZeroBot

Protect your website from bots, scrapers, and automated threats.

Try ZeroBot Free

Related Articles

Vulnerabilities

Microsoft Patch Tuesday June 2026

Microsoft addressed 206 vulnerabilities in its June 2026 Patch Tuesday update, marking the vendor's largest monthly batch of security patches on record.

Jun 10, 2026 08:12 · CyberScoop 12 min read
Vulnerabilities

AI's Impact on Bug Bounty Industry

The rise of AI models like Anthropic's Claude Mythos threatens to disrupt the bug bounty and in-house offensive security industries, with potential to find thousands of zero-day vulnerabilities.

Jun 10, 2026 04:31 · SecurityWeek 12 min read
Vulnerabilities

OpenClaw AI Agent Vulnerable to Phishing Attacks

Researchers found that the OpenClaw AI agent can be tricked by phishing attacks, potentially exposing sensitive user data, including AWS credentials and customer records.

Jun 10, 2026 04:07 · BleepingComputer 12 min read