Skip to content

US Report Criticizes NIST for NVD Backlog in Vulnerability Processing

Bottom line: The NIST backlog results from strategic deficits and duplicate structures with CISA, with both agencies operating parallel vulnerability enrichment programs since May 2024 and wasting approximately $200,000 in funds.

The US Department of Commerce criticizes NIST for growing backlogs in adding security vulnerabilities to the National Vulnerability Database (NVD). An inspector’s report identifies management deficiencies, coordination gaps between NIST and CISA, and questionable severity calculations as primary issues.

The report by the Inspector General of the US Department of Commerce finds the National Institute of Standards and Technology (NIST) guilty of significant failures in managing the National Vulnerability Database (NVD). The report identifies inadequate strategic planning and sluggish action as the main causes of the continuously growing backlog volume of unprocessed vulnerabilities. Particularly criticized is NIST’s insufficient communication, which has undermined stakeholder confidence.

A central coordination problem exists in that NIST and the Cybersecurity and Infrastructure Security Agency (CISA) have operated two parallel vulnerability enrichment programs since May 2024. This results in significant duplication: the report quantifies the expenditure of funds through duplication at approximately $200,000 since May 2024. CISA provides nearly identical enrichment data as NIST. NIST could have used this data earlier to reduce the backlog. However, this was technically not possible until March 2025 because the NVD infrastructure did not support attribution of data to specific sources. NIST staff wanted to avoid the appearance that an NVD analyst had performed the enrichment data from CISA. Overall, the report estimates the savings potential through improved efficiency at approximately $800,000 over two years.

Another critical problem area lies in the reliability of severity scores. NIST uses the industry-standard Common Vulnerability Scoring System (CVSS) to assess vulnerabilities. However, internal tests showed that independent assessors arrived at identical severity scores in only 12 percent of cases. The report concludes that assessments are heavily dependent on the information available and the professional judgment of the individual processor. This raises questions about consistency and reproducibility and suggests that NIST’s manual severity calculation may need to be fundamentally reviewed.

Industry experts acknowledge that the backlog is real and has built up over years. However, they point out that the federal government contributes little in support. Defenders of NIST cite budget cuts that have significantly hindered the institution. Additionally, there is a fundamental shift in the nature of vulnerability discovery: generative AI developments over the past two years have dramatically increased the number of discovered vulnerabilities and accelerated the speed of discoveries. This raises fundamental questions about whether NVD processes need to be completely redesigned.


Source: www.csoonline.com · Published June 5, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: