Bottom line: NIST will rate fewer vulnerabilities with CVSS scores itself and will increasingly rely on third-party sources to reduce a growing analysis backlog.
The U.S. National Institute of Standards and Technology (NIST) has announced that it will rate fewer vulnerabilities with its own CVSS scores in its National Vulnerability Database (NVD) in the future. The reason is a significant backlog in analysis as well as criticism from the U.S. Government Accountability Office.
The NVD is the central public vulnerability database of the United States and is maintained by NIST. Until now, NIST has created its own CVSS scores (Common Vulnerability Scoring System) for registered vulnerabilities to enable consistent comparability of risk. This process led to a significant backlog: many reported vulnerabilities have been waiting for official analysis and assessment by NIST experts for some time.
The U.S. Government Accountability Office (GAO) recently criticized this situation harshly. NIST will now change its approach: the database will increasingly accept and publish third-party ratings from vendors instead of analyzing all entries itself. This is intended to reduce the backlog and increase the currency of the database.
For CISOs, this change presents a new challenge in assessing vulnerabilities: they can no longer rely on a uniform assessment created by NIST, but must in future take into account ratings from various sources and evaluate their quality themselves. This requires greater differentiation in vulnerability assessment and possibly additional validation processes.
Source: www.heise.de · Published June 2, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.