NIST's National Vulnerability Database Mismanagement Leads to Backlog Crisis
Severity: Low (Score: 36.9)
Sources: Feeds2.Feedburner, Cyberscoop
Published: · Updated:
Keywords: nist, national, vulnerability, database, federal, institute, standards
Severity indicators: vulnerability
Summary
A recent audit by the Department of Commerce inspector general revealed that the National Institute of Standards and Technology (NIST) has mismanaged the National Vulnerability Database (NVD), leading to a backlog of over 27,000 unprocessed security flaws. The backlog grew from 13,000 in June 2024, exacerbated by the lapse of the database's enrichment contract in February 2024. NIST's strategic planning was found lacking, with no long-term plan to address the backlog. The report highlighted inefficiencies in calculating severity scores and identifying affected products, with NIST's scores matching independent evaluators only 12% of the time. Additionally, duplication of efforts between NIST and the Cybersecurity and Infrastructure Security Agency (CISA) resulted in wasted resources, with at least 21,000 instances of duplicated work costing approximately $200,000. Communication failures among cybersecurity professionals further complicated the situation, prompting an open letter to Congress in April 2024. Key Points: • NIST's National Vulnerability Database has over 27,000 unprocessed vulnerabilities. • Inefficiencies in severity score calculations and product identification hinder progress. • Duplication of efforts between NIST and CISA wasted approximately $200,000.
Detailed Analysis
**Impact** The backlog of unprocessed vulnerabilities in the NVD grew from 13,000 in June 2024 to over 27,000 by the end of 2025, affecting cybersecurity professionals across government and private sectors in the US. This delay impairs timely vulnerability prioritization and remediation, increasing exposure risk for federal agencies and critical infrastructure reliant on accurate vulnerability data. Duplication of effort between NIST and CISA wasted approximately $200,000, reducing resources available for vulnerability management. The lack of transparency and coordination has eroded trust among over 50 cybersecurity stakeholders who raised concerns to Congress. **Technical Details** No specific attack vectors, TTPs, malware, exploited CVEs, or infrastructure details are provided in the articles. The crisis stems from operational inefficiencies, including manual severity scoring and product identification processes, and duplicated work between NIST and CISA programs. The backlog affects the vulnerability management lifecycle at the information enrichment and prioritization stages, delaying the dissemination of critical vulnerability data. **Recommended Response** Defenders should monitor alternative vulnerability databases and cross-reference multiple sources to compensate for potential delays in NVD updates. Organizations should prioritize patching vulnerabilities listed in CISA’s KEV catalog and those affecting federal government software, as NIST has narrowed its focus to these areas. Increased coordination between federal agencies and improved automation in vulnerability processing should be supported to reduce backlog impact. No specific IOCs or patches are provided for immediate action.
Source articles (2)
- Federal audit reveals NIST’s NVD is plagued by poor planning and duplication — Cyberscoop · 2026-05-29
A Department of Commerce inspector general report released Thursday found that the National Institute of Standards and Technology has mismanaged a critical cybersecurity vulnerability database through… - How NIST fumbled management of the National Vulnerability Database — Feeds2.Feedburner · 2026-06-01
A US federal watchdog has outlined how the National Institute of Standards and Technology (NIST) failed to effectively manage the growing backlog of unprocessed cybersecurity vulnerabilities in the Na…
Timeline
- 2005-01-01 — NVD established: The National Vulnerability Database was created to centralize cybersecurity vulnerability data.
- 2024-02-01 — Enrichment contract lapse: NIST's contract for enriching the NVD data expired, leading to a backlog of vulnerabilities.
- 2024-04-01 — Open letter to Congress: Over 50 cybersecurity professionals sent an open letter to Congress regarding NIST's management issues.
- 2024-06-01 — Backlog reaches 13,000: The number of unprocessed vulnerabilities in the NVD reached 13,000.
- 2025-12-31 — Backlog exceeds 27,000: The backlog of unprocessed vulnerabilities in the NVD grew to over 27,000 by the end of 2025.