Back

NIST's NVD Faces Backlog Crisis Amid Management Failures

Severity: Low (Score: 36.9)

Sources: Therecord.Media, Feeds2.Feedburner, Cyberscoop, Heise.De

Published: 2026-06-01 · Updated: 2026-06-02

Keywords: nist, national, vulnerability, database, federal, institute, standards

Severity indicators: vulnerability

Summary

The National Institute of Standards and Technology (NIST) has halted evaluations of IT security vulnerabilities using the Common Vulnerability Scoring System (CVSS) due to a growing backlog in the National Vulnerability Database (NVD). The backlog grew from 13,000 unprocessed vulnerabilities in June 2024 to over 27,000 by the end of 2025. A recent inspector general report highlighted poor planning, inefficient operations, and duplication of efforts between NIST and the Cybersecurity and Infrastructure Security Agency (CISA). NIST's inability to clear the backlog has undermined the utility and public trust in the NVD, which is crucial for cybersecurity professionals. The report also criticized NIST for a lack of strategic planning and communication failures that exacerbated the situation. As of April 2026, the NVD sees over 300,000 daily users, indicating its importance in the cybersecurity landscape. The Inspector General's office has proposed reducing unnecessary tasks to redirect resources towards clearing the backlog. Key Points: • NIST has stopped evaluating vulnerabilities using CVSS due to a backlog crisis. • The backlog in the NVD grew from 13,000 to over 27,000 unprocessed vulnerabilities from 2024 to 2025. • An inspector general report cited poor planning and duplication of efforts as core issues.

Detailed Analysis

**Impact** The backlog of unprocessed vulnerabilities in the National Vulnerability Database (NVD) grew from 13,000 in February 2024 to over 27,000 by the end of 2025, affecting cybersecurity professionals across the US government and private sectors. This delay undermines timely vulnerability assessments critical for patch prioritization, increasing exposure to unmitigated risks in federal and critical infrastructure software, as well as software widely used in the US. The backlog and inefficiencies reduce the NVD’s reliability, potentially impacting daily users exceeding 300,000 and automated systems relying on NVD data. **Technical Details** No specific attack vectors, TTPs, malware, CVEs, or IOCs are detailed in the available reports. The backlog results from operational failures including manual processes for calculating CVSS scores and identifying affected products, duplication of effort with CISA’s Vulnrichment program, and contract management issues. The problem lies in vulnerability data processing and enrichment stages, not in active exploitation or malware campaigns. **Recommended Response** Organizations should monitor alternative vulnerability intelligence sources and prioritize patching based on vendor-provided CVSS scores and advisories, given NIST’s reduced scoring reliability. Security teams must track updates from CISA’s KEV catalog and Executive Order 14028 critical software lists, which remain prioritized by NIST. Defenders should also watch for announcements on NVD backlog reduction progress and maintain communication with vendors for timely vulnerability disclosures.

Source articles (4)

  • Federal audit reveals NIST’s NVD is plagued by poor planning and duplication — Cyberscoop · 2026-05-29
    A Department of Commerce inspector general report released Thursday found that the National Institute of Standards and Technology has mismanaged a critical cybersecurity vulnerability database through…
  • How NIST fumbled management of the National Vulnerability Database — Feeds2.Feedburner · 2026-06-01
    A US federal watchdog has outlined how the National Institute of Standards and Technology (NIST) failed to effectively manage the growing backlog of unprocessed cybersecurity vulnerabilities in the Na…
  • Inspector general finds NIST mistakes have made vulnerability database ineffective — Therecord.Media · 2026-06-01
    NIST’s National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, “undermining the NVD’s utility…
  • CVSS: NIST restricts evaluation of IT security vulnerabilities — Heise.De · 2026-06-02
    The US National Institute of Standards and Technology (NIST) will largely cease evaluating IT security vulnerabilities with the known CVSS severity levels. This is one of the measures with which NIST…

Timeline

  • 2024-02-01 — NVD backlog begins: The backlog of unprocessed vulnerabilities started to grow after the enrichment contract lapsed.
  • 2024-06-01 — Backlog reaches 13,000: The number of unprocessed vulnerabilities in the NVD reached 13,000 as reported in June 2024.
  • 2025-12-31 — Backlog exceeds 27,000: By the end of 2025, the backlog of unprocessed vulnerabilities exceeded 27,000, raising concerns about NVD's effectiveness.
  • 2026-04-01 — NVD sees 300,000 daily users: The NVD reported an average of over 300,000 unique users per day, highlighting its critical role in cybersecurity.
  • 2026-05-29 — Inspector General report released: A report from the Department of Commerce's Inspector General outlined NIST's mismanagement of the NVD.

Related entities

  • german.it (Domain)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed