{"id":8388,"date":"2026-06-05T01:47:38","date_gmt":"2026-06-05T01:47:38","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8388"},"modified":"2026-06-05T01:47:38","modified_gmt":"2026-06-05T01:47:38","slug":"us-government-report-slams-nist-for-nvd-backlog","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8388","title":{"rendered":"US government report slams NIST for NVD backlog"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A report from the US Commerce department\u2019s inspector general blames the National Institute of Standards and Technology (NIST) for the ever-growing backlog of vulnerabilities for inclusion in the National Vulnerability Database (NVD). But cybersecurity practitioners say that the backlog, although very real, has been building for years<\/a>, and that the government is doing little to help.<\/p>\n

NIST defenders point to budget cuts that have made its mission far more difficult. And a potentially bigger issue is that the nature of vulnerability identification and patching has changed sharply over the last two years, via genAI developments that have dramatically increased the number of vulnerabilities discovered<\/a> and accelerated of those discoveries. That raises questions about whether NVD processes need to be completely re-envisioned.\u00a0<\/p>\n

Inter-agency squabbles<\/h2>\n

The Inspector General\u2019s report<\/a> blamed NIST for a variety of management and strategy shortcomings.\u00a0<\/p>\n

\u201cNIST\u2019s lack of strategic planning and decisive action have allowed the backlog of unprocessed vulnerabilities to continue growing,\u201d the report said, pointing out that NIST and the Cybersecurity and Infrastructure Security Agency (CISA) are operating two vulnerability enrichment programs with significant overlap, leading to duplicated efforts and waste of approximately $200,000 since May 2024. Additionally, it said, NIST\u2019s insufficient communication has frustrated stakeholders and decreased confidence in the NVD.<\/p>\n

The report also said, \u201cNIST must improve the efficiency of enrichment processes to ensure sustainability. We estimate that NIST could put approximately $800,000 to better use over the next two years.\u201d<\/p>\n

It also attributed some of the issues with the vulnerability identification programs to bureaucratic infighting over the years, pointing out that for two years, CISA has been independently providing nearly all of the same enrichment data\u00a0as NIST.<\/p>\n

\u201cTherefore,\u201d it said, \u201can opportunity existed for NIST to leverage CISA\u2019s data to expedite backlog reduction. However, NIST officials stated that the NVD system required technical updates to incorporate CISA\u2019s enrichment data because the system lacked the capability to attribute data to specific sources.\u201d<\/p>\n

Because of this, before system updates and subsequent process changes were completed in March 2025, NIST refused to use CISA\u2019s data because it would have appeared that an NVD analyst had performed the enrichment.<\/p>\n

\u201cWhile it is understandable that NIST wanted to be clear about the source of data in the NVD,\u201d the report said, \u201cit ultimately delayed vulnerability processing to distinguish whether enrichment was completed by NIST or CISA, both federal agencies with access to the same public information.\u201d<\/p>\n

Another example of inefficiency also involved enrichment: \u201cIn May 2024 \u2026 CISA launched its own vulnerability enrichment program, called Vulnrichment. At the time, CISA invited NIST to collaborate and issue a joint statement about the new program. However, NIST did not take part in a joint statement or issue any announcement about CISA\u2019s program. Ultimately, the two programs have operated without coordination and have duplicated enrichment activities.\u201d<\/p>\n

NIST severity score calculations \u2018may no longer be necessary\u2019<\/h2>\n

Another concern cited was the reliability of NIST\u2019s calculation of severity scores.<\/p>\n

\u201cTo generate a severity score for vulnerabilities, NIST uses the industry standard Common Vulnerability Scoring System (CVSS). \u2026 Our review found that implementation is highly dependent on available information and professional judgment,\u201d the report said, noting that in internal testing, severity scores among independent OIG evaluators matched just 12% of the time. \u201cWe concluded that severity scores vary depending on who performs the work and the information available to them.\u201d<\/p>\n

It added: \u201cTraditionally, NIST calculated its own independent severity score for each vulnerability. NIST stated that it did so as part of its mandate to determine the nature and extent of information security vulnerabilities and independently assign severity metrics to identified vulnerabilities. However, NIST is not required to calculate a severity score for every vulnerability. Today, this approach may no longer be necessary and, considering the increasing volume of vulnerability submissions, is no longer sustainable.\u201d<\/p>\n

The IG report also included an official NIST response; CSO Online asked NIST for clarifications, but it did not respond before publication.\u00a0<\/p>\n

In that response, NIST said that it agreed with all of the report\u2019s technical recommendations, mostly involving creating a better strategic plan for the NVD and a better backlog management plan, but that it disagreed with the tone and phrasing used.<\/p>\n

\u201cRather than assess the impact of NIST\u2019s actions in a fair, factual, and objective manner, this statement unnecessarily casts doubt on NIST\u2019s intentions and priorities,\u201d the NIST response, attributed to Acting Director Craig Burkhardt, said. \u201cThe Draft Report is replete with language that goes beyond objective, factual evaluation.\u201d<\/p>\n

Industry response<\/h2>\n

However, said some observers, while the AG report was accurate, it missed the bigger picture.<\/p>\n

\u201cThe backlog is getting all the attention, but underneath it, this is a money story. CISA was covering close to half the NVD\u2019s funding and then walked away from it, and NIST\u2019s lab budget got cut on top of that. You can\u2019t pull that kind of money out of something this important and then act surprised when it breaks,\u201d said Jeff Williams<\/a>, CTO at Contrast Security.<\/p>\n

He noted the revelation that OIG analysts\u2019 vulnerability severity calculations only matched NIST\u2019s 12% of the time, suggests that the measure, used by IT to prioritizes fixes, \u201cis barely better than guessing.\u201d That should worry people more than the backlog does, he said.<\/p>\n

Williams also argued that the manual parts of threat analysis no longer make much sense, pointing out that the \u201ceasy parts\u201d of security such as scanning and ticketing are already automated.<\/p>\n

\u201cWe got very good at producing findings and never got good at dealing with them. The real prevention work \u2014 threat modeling and looking hard at architecture \u2014 is still done by hand by a small number of senior people,\u201d he pointed out. \u201cWe automated the wrong half. Where AI can be truly groundbreaking is helping with the expert work we could never hire enough people for, to prevent vulnerabilities in the first place.\u201d<\/p>\n

Braden Perry<\/a>, a litigation, regulatory, and government investigations attorney at Kennyhertz Perry, also took issue with NIST\u2019s defense that legal obligations forced it to make some of those decisions.\u00a0<\/p>\n

\u201cIt\u2019s a lawyer\u2019s argument and a partial one,\u201d he said. \u201cThe law sets the mission. It doesn\u2019t dictate the choices that created the backlog. Here\u2019s the distinction: NIST cites [a federal rule] which directs the agency to assign severity metrics to open source software vulnerabilities. That\u2019s a mandate. But it only covers open source software, not all vulnerabilities. It says \u2018severity metrics,\u2019 not CVSS.\u201d<\/p>\n

And, he said, the rule doesn\u2019t tell NIST to recalculate a score that a vendor or CISA already produced; that was NIST\u2019s decision. \u201cSo the mandate is narrow and the practice is broad,\u201d he said, pointing out that the inspector general\u2019s report made that clear.<\/p>\n

\u201cThe statutes NIST cites don\u2019t say how to run the database or what to produce,\u201d he noted. \u201cThey leave the operational calls to NIST.\u00a0On the central question, whether NIST was legally compelled into this backlog, the answer is no. The duty to keep the database running is real. The mess was a choice.\u201d<\/p>\n

NIST\u2019s complaints, he said, \u201care management failures, not statutory commands. [NIST] spends most of its energy arguing that the report was unfair and lacked context. That is a process complaint. It is not a defense of the record.\u201d<\/p>\n

Erik Avakian<\/a>, technical counselor at Info-Tech Research Group, said the NVD issues identified in the report are less of a concern than the fact that too many enterprises have grown addicted to NVD as their sole source of vulnerability truth.<\/p>\n

\u201cI would ask the question: why are we waiting for NIST to tell us something that\u2019s important?\u201d Avakian said. \u201cOrganizations that are relying so much on the NVD have deeper maturity problems because NVD should be treated as a support function to a vulnerability management program, not the entirety of it.\u201d<\/p>\n

Ishraq Khan<\/a>, CEO of coding productivity tool vendor Kodezi, added that the changing scale of vulnerability discovery is the bigger issue.\u00a0<\/p>\n

\u201cCybersecurity infrastructure must scale at the same pace as vulnerability discovery. If discovery becomes exponentially faster through automation and AI, while enrichment and analysis remain heavily manual, the gap will continue widening,\u201d Khan said. <\/p>\n

\u201cI suspect many CISOs will read this report less as an audit finding and more as a warning sign. The question is no longer whether vulnerabilities can be found. The question is whether the institutions responsible for organizing and prioritizing them can keep pace.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A report from the US Commerce department\u2019s inspector general blames the National Institute of Standards and Technology (NIST) for the ever-growing backlog of vulnerabilities for inclusion in the National Vulnerability Database (NVD). But cybersecurity practitioners say that the backlog, although very real, has been building for years, and that the government is doing little to […]<\/p>\n","protected":false},"author":0,"featured_media":8389,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8388"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8388"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8388\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8389"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}