NIST's National Vulnerability Database Faces Significant Challenges
A recent report by the inspector general of the Department of Commerce has found that the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) is facing significant challenges, including a backlog of over 27,000 unprocessed security vulnerabilities.
The NVD is a critical tool used by industry and government cybersecurity workers to prioritize which cybersecurity vulnerabilities need to be addressed in what order. However, the worsening backlog has undermined the NVD's utility and public trust, according to the report.
Causes of the Backlog
The report found that poor planning by NIST has led to the increasingly dire state of affairs. In February 2024, NIST stopped paying the contractors who process the security flaws, resulting in a significant backlog. Despite pledging to fix the problem by September 2024, NIST did not come close to meeting its goal of processing about 6,200 vulnerabilities a month.
The agency had historically never processed more than 5,000 vulnerabilities a month and acknowledged that it had no plan for how to reach its goal, the report said. NIST does not have sustainable processes to manage NVD submissions and will be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes, according to the report.
Duplicating Efforts
In addition to weak strategic planning, NIST failed to communicate with the Cybersecurity and Infrastructure Security Agency (CISA). The agencies duplicated work in at least 21,000 instances from May 2024 through December 2025, the report said. CISA launched its own Vulnrichment program in May 2024, but NIST failed to coordinate with the agency once its NVD program rehired the contractors it relies on to maintain its database.
At one point, the two agencies hired the same contractor to perform identical work. NIST's failure to engage with CISA first became evident when NIST declined to respond to a CISA invitation to collaborate, according to the report. The decision to process vulnerabilities already addressed by CISA has wasted about $200,000 since May 2024, the report said, citing insufficient communication [that] has frustrated stakeholders and decreased confidence in the NVD.
Fixing the Issue
The inspector general recommends that NIST become more efficient when assigning severity scores and labeling which products are impacted. NIST will save about $800,000 over the next two years if it spends less time on the scoring, according to the inspector general. NIST can safely decrease its work on scoring because it is of negligible value, according to the report, which found that 80% of vulnerability submissions include severity scores when they are first presented.
Additionally, NIST's severity scores only match those produced by independent assessors 12% of the time, the report said. The agency also has failed to communicate effectively with stakeholders, the report said, citing an open letter that 50 cybersecurity professionals sent to Congress and the Secretary of Commerce in April 2024.
NIST must forge a plan for how to fix the NVD and eliminate the backlog, begin communicating with stakeholders more efficiently, no longer do as much severity scoring, and collaborate with CISA to avoid overlapping efforts, the report said. The agency concurred with the recommendations and will begin work to improve its operations immediately, according to an April letter from NIST Acting Director Craig Burkhardt that was included in the report.
NIST should cede responsibility for the NVD to CISA, according to Michael Daniel, the president and CEO of the Cyber Threat Alliance. Running a long-term, ongoing operational program like the NVD falls more properly in CISA's mission, Daniel said via text. NIST has significant resource shortfalls.
Source: The Record