- Commerce’s OIG said NIST is struggling to manage a growing vulnerability database backlog
- The audit has identified planning, processing and coordination gaps affecting National Vulnerability Database operations
- NIST is implementing reforms aimed at improving efficiency and stakeholder confidence
The Department of Commerce Office of Inspector General has found that the National Institute of Standards and Technology has not effectively managed the National Vulnerability Database, concluding that current processes are insufficient to eliminate a growing backlog of cybersecurity vulnerabilities and keep pace with rising submission volumes.
According to the OIG’s report published May 26, NIST lacks sustainable processes for handling vulnerability submissions and will be unable to clear its backlog or prevent future delays without significant operational changes. The watchdog identified shortcomings in strategic planning, vulnerability processing, coordination with federal partners and stakeholder communications.
The challenges highlighted in the NVD report underscore the importance of cybersecurity modernization in federal civilian agencies. Learn how agencies are addressing evolving cyber risks and technology priorities at the Potomac Officers Club’s 2026 FedCiv Summit on Oct. 29. Register now!
Why Did the OIG Criticize NVD Management?
The NVD serves as a central source of vulnerability information used by government agencies, contractors and private sector cybersecurity teams. NIST enriches Common Vulnerabilities and Exposures records with additional information, such as severity ratings and affected product data, to help organizations prioritize remediation efforts.
The OIG found that a contract lapse in February 2024 contributed to a growing backlog of unprocessed vulnerabilities. Although NIST publicly stated that it expected to eliminate the backlog by September 2024, auditors said the agency lacked a realistic plan to achieve that goal. The backlog expanded from about 13,000 vulnerabilities in June 2024 to more than 27,000 by the end of 2025.
According to the report, annual vulnerability submissions could surpass 60,000 in 2026, further increasing pressure on the program.
What Efficiency Issues Did Auditors Identify?
Auditors said NIST could improve the sustainability of the NVD by reducing duplicated work and streamlining enrichment activities. The report estimated that the agency could allocate approximately $800,000 more effectively over the next two years. This would be by limiting independent severity scoring when vulnerability records already contain scores from other sources.
The OIG also found overlap between NIST’s enrichment efforts and the Cybersecurity and Infrastructure Security Agency’s Vulnrichment program. According to the report, the agencies duplicated enrichment activities on at least 21,000 vulnerabilities between May 2024 and December 2025, resulting in an estimated $200,000 in unnecessary costs.
In addition, auditors said stakeholders expressed frustration with NIST’s communications regarding the backlog and vulnerability processing status, contributing to reduced confidence in the database.
How Is NIST Responding?
NIST concurred with all recommendations included in the report and said it is taking steps to address the findings. The agency said it is developing a strategic plan for the NVD, creating a backlog management plan, coordinating more closely with CISA and establishing a communications strategy for stakeholders. NIST also said it will no longer routinely calculate severity scores when those ratings have already been provided.
NIST announced operational updates in April that align with several of the recommendations. Those changes include a revised prioritization approach that focuses enrichment efforts on vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog, software used by federal agencies and vulnerabilities designated as critical under Executive Order 14028. Vulnerabilities outside those categories may remain published in the database but could be designated as “Not Scheduled” for enrichment.
