NIST Vulnerability Database Crippled by Backlog, Inspector General Finds

A key cybersecurity vulnerability database managed by the National Institute of Standards and Technology (NIST) has been significantly hampered by mismanagement and strategic failures, resulting in an extreme backlog of unprocessed security flaws. According to a report from the Department of Commerce's inspector general, NIST's National Vulnerability Database (NVD) saw its backlog swell from approximately 13,000 vulnerabilities in February 2024 to over 27,000 by the close of 2025. This substantial delay is undermining the NVD's core function as a critical tool for cybersecurity professionals in both government and industry to prioritize and address security risks.

The crisis reportedly began in February 2024 when NIST ceased payments to the contractors responsible for processing vulnerability submissions. The inspector general's report attributes the worsening situation to poor planning by NIST, which failed to meet its own goal of processing around 6,200 vulnerabilities monthly. This target was ambitious, given that NIST had historically processed no more than 5,000 per month, and the agency lacked a clear strategy for achieving the new objective. The report explicitly states, "NIST does not have sustainable processes to manage NVD submissions and will be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes."

Compounding the processing backlog, NIST also failed to coordinate effectively with the Cybersecurity and Infrastructure Security Agency (CISA). This lack of communication led to duplicated efforts in at least 21,000 instances between May 2024 and December 2025. CISA had launched its own Vulnrichment program in May 2024, but NIST's internal issues and subsequent rehiring of contractors did not include collaboration with CISA. In one instance, both agencies even contracted the same third-party vendor for identical work, highlighting the breakdown in inter-agency communication.

The report details that NIST's failure to engage with CISA early on was evident when NIST declined an invitation to collaborate. The redundant work processing vulnerabilities already addressed by CISA has resulted in an estimated waste of $200,000 since May 2024. The inspector general noted that this "insufficient communication has frustrated stakeholders and decreased confidence in the NVD," directly contradicting NIST's stated view of the NVD as a vital piece of U.S. cybersecurity infrastructure.

To address these systemic issues, the inspector general has recommended several key changes. NIST should improve efficiency in assigning severity scores and identifying impacted products, as the report found that NIST's severity scores only align with independent assessments 12% of the time. The agency can reduce its focus on scoring, saving approximately $800,000 over two years, as 80% of submissions already include scores. Furthermore, NIST must develop a comprehensive plan to eliminate the backlog, enhance stakeholder communication, and crucially, collaborate with CISA to prevent overlapping efforts.

NIST has concurred with the inspector general's recommendations and indicated a commitment to implementing improvements immediately, as stated in a letter from NIST Acting Director Craig Burkhardt included in the report. However, some industry experts, like Michael Daniel, president and CEO of the Cyber Threat Alliance, suggest that operational programs like the NVD might be better suited for CISA's mission, citing NIST's resource limitations.

The findings underscore a significant challenge in maintaining the integrity and timeliness of vulnerability information, which is essential for effective cybersecurity defense. The prolonged backlog not only erodes public trust but also leaves organizations potentially unaware of critical risks, delaying necessary patching and mitigation efforts.