Executive Gov
  • Home
  • Acquisition & Procurement
  • Agencies
    • DoD
    • Intelligence
    • DHS
    • Civilian
    • Space
  • Cybersecurity
  • Technology
  • Awards
  • News
  • About
  • Wash100
  • Contact Us
    • Advertising
    • Submit your news
No Result
View All Result
Executive Gov
  • Home
  • Acquisition & Procurement
  • Agencies
    • DoD
    • Intelligence
    • DHS
    • Civilian
    • Space
  • Cybersecurity
  • Technology
  • Awards
  • News
  • About
  • Wash100
  • Contact Us
    • Advertising
    • Submit your news
No Result
View All Result
Executive Gov
No Result
View All Result
Home Federal Civilian

Commerce OIG Calls for Changes to NIST Vulnerability Database Management

by Kristen Smith
June 2, 2026
in Federal Civilian, News
Commerce Department seal. Commerce's OIG said NIST lacks sustainable processes for managing NVD.

Commerce's OIG said NIST lacks sustainable processes for managing the National Vulnerability Database.

  • Commerce’s OIG said NIST is struggling to manage a growing vulnerability database backlog
  • The audit has identified planning, processing and coordination gaps affecting National Vulnerability Database operations
  • NIST is implementing reforms aimed at improving efficiency and stakeholder confidence

The Department of Commerce Office of Inspector General has found that the National Institute of Standards and Technology has not effectively managed the National Vulnerability Database, concluding that current processes are insufficient to eliminate a growing backlog of cybersecurity vulnerabilities and keep pace with rising submission volumes.

Table of Contents

    • You might also like
    • NGA Seeks Industry Input on Future GEOINT Analytic Technologies
    • Mike Lynch: GSA Eyes OneGov Expansion Beyond Software
    • NNSA, HPE, NVIDIA to Build 2 Supercomputers at Los Alamos National Laboratory
  • Why Did the OIG Criticize NVD Management?
  • What Efficiency Issues Did Auditors Identify?
  • How Is NIST Responding?

You might also like

NGA Seeks Industry Input on Future GEOINT Analytic Technologies

Mike Lynch: GSA Eyes OneGov Expansion Beyond Software

NNSA, HPE, NVIDIA to Build 2 Supercomputers at Los Alamos National Laboratory

According to the OIG’s report published May 26, NIST lacks sustainable processes for handling vulnerability submissions and will be unable to clear its backlog or prevent future delays without significant operational changes. The watchdog identified shortcomings in strategic planning, vulnerability processing, coordination with federal partners and stakeholder communications.Commerce OIG Calls for Changes to NIST Vulnerability Database Management

The challenges highlighted in the NVD report underscore the importance of cybersecurity modernization in federal civilian agencies. Learn how agencies are addressing evolving cyber risks and technology priorities at the Potomac Officers Club’s 2026 FedCiv Summit on Oct. 29. Register now!

Why Did the OIG Criticize NVD Management?

The NVD serves as a central source of vulnerability information used by government agencies, contractors and private sector cybersecurity teams. NIST enriches Common Vulnerabilities and Exposures records with additional information, such as severity ratings and affected product data, to help organizations prioritize remediation efforts.

The OIG found that a contract lapse in February 2024 contributed to a growing backlog of unprocessed vulnerabilities. Although NIST publicly stated that it expected to eliminate the backlog by September 2024, auditors said the agency lacked a realistic plan to achieve that goal. The backlog expanded from about 13,000 vulnerabilities in June 2024 to more than 27,000 by the end of 2025.

According to the report, annual vulnerability submissions could surpass 60,000 in 2026, further increasing pressure on the program.

What Efficiency Issues Did Auditors Identify?

Auditors said NIST could improve the sustainability of the NVD by reducing duplicated work and streamlining enrichment activities. The report estimated that the agency could allocate approximately $800,000 more effectively over the next two years. This would be by limiting independent severity scoring when vulnerability records already contain scores from other sources.

The OIG also found overlap between NIST’s enrichment efforts and the Cybersecurity and Infrastructure Security Agency’s Vulnrichment program. According to the report, the agencies duplicated enrichment activities on at least 21,000 vulnerabilities between May 2024 and December 2025, resulting in an estimated $200,000 in unnecessary costs.

In addition, auditors said stakeholders expressed frustration with NIST’s communications regarding the backlog and vulnerability processing status, contributing to reduced confidence in the database.

How Is NIST Responding?

NIST concurred with all recommendations included in the report and said it is taking steps to address the findings. The agency said it is developing a strategic plan for the NVD, creating a backlog management plan, coordinating more closely with CISA and establishing a communications strategy for stakeholders. NIST also said it will no longer routinely calculate severity scores when those ratings have already been provided.

NIST announced operational updates in April that align with several of the recommendations. Those changes include a revised prioritization approach that focuses enrichment efforts on vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog, software used by federal agencies and vulnerabilities designated as critical under Executive Order 14028. Vulnerabilities outside those categories may remain published in the database but could be designated as “Not Scheduled” for enrichment.

Stay connected via Google News
Follow us for the latest travel updates and guides.
Add as preferred source on Google
Share5Tweet19

Recommended For You

NGA Seeks Industry Input on Future GEOINT Analytic Technologies

by Nora Camden
July 17, 2026
NGA logo. The agency has released an RFI seeking industry input on future GEOINT analytic technologies.

NGA is conducting market research for Future GEOINT Analytic TechnologiesThe sources-sought notice is posted exclusively on the classified ARC website and requires a TS/SCI clearanceIndustry responses are due...

Read moreDetails

Mike Lynch: GSA Eyes OneGov Expansion Beyond Software

by Jane Edwards
July 17, 2026
Mike Lynch. The GSA deputy administrator said the agency is looking to broaden the scope of the OneGov initiative.

GSA is exploring ways to broaden OneGov savings beyond tech offeringsOneGov has drawn agreements from Adobe, Microsoft, Google and other major tech firmsThe 2026 FedCiv Summit will discuss...

Read moreDetails

NNSA, HPE, NVIDIA to Build 2 Supercomputers at Los Alamos National Laboratory

by Jamie Bennet
July 17, 2026
Brandon Williams. The NNSA administrator commented on new supercomputer projects for the Los Alamos National Laboratory.

The National Nuclear Security Administration has released details of the development of two supercomputers at Los Alamos National LaboratoryThe Mission and Vision supercomputers will use NVIDIA's Vera Rubin...

Read moreDetails

SDA’s Third Tranche 1 Launch Puts 21 More Data Transport Satellites in Orbit

by Kristen Smith
July 17, 2026
York Space Systems logo. SDA's third Tranche 1 launch delivered 21 York Space satellites to orbit for PWSA.

A SpaceX Falcon 9 carried 21 York-built data transport satellites to low Earth orbitThe satellites will support missile threat tracking through secure, low-latency links reaching beyond line of...

Read moreDetails

Navy’s First In-House Cold Spray Repair Center Opens at NSWC Crane

by Miles Jamison
July 17, 2026
NSWC Crane logo. Naval Surface Warfare Center, Crane Division has opened its Metal Additive Manufacturing Repair Center.

NSWC Crane’s MADMAN Repair Center is designed for advanced metal repairsThe facility uses cold spray additive manufacturing to restore damaged metal parts without heat-related structural damageThe center enables...

Read moreDetails
Sign Up For Our Newsletter
Subscribe to our mailing list to receives daily updates direct to your inbox!
Invalid email address
Your privacy is guranteed.
Thanks for subscribing!

Sponsors

About ExecutiveGov

ExecutiveGov, published by Executive Mosaic, is a site dedicated to the news and headlines in the federal government. ExecutiveGov serves as a news source for the hot topics and issues facing federal government departments and agencies such as Gov 2.0, cybersecurity policy, health IT, green IT and national security. We also aim to spotlight various federal government employees and interview key government executives whose impact resonates beyond their agency.

CATEGORIES

  • Acquisition & Procurement
  • Announcements
  • Articles
  • Artificial Intelligence
  • Awards
  • Big Data & Analytics News
  • C4ISR
  • Civilian
  • Cloud
  • Contract Awards
  • Cybersecurity
  • Defense And Intelligence
  • Defense Security Cooperation
  • DHS
  • Digital Assets
  • Digital Modernization
  • DoD
  • Events
  • Executive Moves
  • Executive Spotlights
  • Federal Civilian
  • Financial Reports
  • Foreign Military Sales
  • General News
  • GovCon Expert
  • Government Cloud
  • Government Technology
  • GSA
  • Healthcare IT
  • Industry News
  • Intelligence
  • Legislation
  • M&A Activity
  • National Security
  • News
  • Policy Updates
  • Press Releases
  • Profiles
  • Space
  • Videos
  • Wash100
Sign Up For Our Newsletter
Subscribe to our mailing list to receives daily updates direct to your inbox!
Invalid email address
Your privacy is guranteed.
Thanks for subscribing!

Copyright 2026 Executive Mosaic. All Rights Reserved. Site Archive

No Result
View All Result
  • Home
  • Acquisition & Procurement
  • Agencies
    • DoD
    • Intelligence
    • DHS
    • Civilian
    • Space
  • Cybersecurity
  • Technology
  • Awards
  • News
  • About
  • Wash100
  • Contact Us
    • Advertising
    • Submit your news

Copyright 2026 Executive Mosaic. All Rights Reserved. Site Archive

Get your free GovCon news!

Get your latest GovCon news and insights. Become a VIP and subscribe to the GovConWire Daily News.

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
Thanks for subscribing!