Federal Audit Reveals NIST's NVD Plagued by Poor Planning and Duplication

The agency can't fix it. NIST's NVD, the federal government's central repository for software vulnerability data, suffers from poor planning, duplicated effort, and a ballooning backlog, and the agency doesn't have a long-term strategy to fix it. So a Department of Commerce inspector general report released Thursday laid out a damning portrait of mismanagement inside the National Vulnerability Database, which has served as a cornerstone of cybersecurity defense since 2005.

A Backlog With No End in Sight

The trouble started in February 2024 when the database's enrichment contract lapsed. Suddenly, new security flaws stopped getting the metadata that analysts and security teams rely on. Severity scores. Affected product lists. The context that turns a raw CVE number into something actionable. All of it stalled.

27,000.

That is how many unprocessed security flaws had piled up by the end of 2025, according to the report. Back in June 2024, the number sat at around 13,000. The backlog did not shrink. It got worse. And all the while, NIST's NVD kept accepting new submissions faster than it could enrich them.

The press release skipped this part. NIST publicly promised in May 2024 it would clear the entire backlog by September of that same year. The plan required processing 6,200 vulnerabilities per month. But the agency had never handled more than 5,000 in a single month, so the math simply didn't work, and NIST leaders admitted to investigators that they had no long-term plan for digging out.

The 12 Percent Match Rate

Now for the awkward part. The inspector general's office took a hard look at the severity scores produced by NIST analysts and compared them against scores from independent evaluators. They matched just 12 percent of the time.

The inspector general's office tested NIST's severity scores and found they matched independent evaluators only 12% of the time.

But it's stranger still. According to the report, nearly 80 percent of vulnerability submissions already arrive with severity scores attached, and those scores are provided by the very companies responsible for the flawed software in the first place. NIST analysts are spending enormous time recalculating numbers that, in most cases, already exist. So scaling back that redundant work over the next two years would save roughly $800,000, which could then go somewhere more useful.

Manual Processes, Major Delays

There is one detail worth pausing on. Analysts inside NIST's NVD spend about 80 percent of their time on exactly two tasks: calculating those severity scores and identifying affected products. The product identification work is painfully manual. Creating standardized product identifiers takes far longer than it should, and it keeps analysts chained to work that automation could accelerate. NIST is developing tools to speed things up, but for now, the process remains a major bottleneck.

Two Agencies, Duplicated Work

And it gets interesting. In May 2024, the Cybersecurity and Infrastructure Security Agency launched its own Vulnrichment program, but there wasn't any coordination with NIST, and the two agencies simply operated in parallel, sometimes duplicating the exact same enrichment tasks, and they even hired the same contractor for portions of the work.

Between May 2024 and December 2025, the inspector general identified at least 21,000 cases of duplicated effort, and the price tag for that redundancy came to approximately $200,000. It's wasted money. So taxpayer money's spent twice for work that only needed doing once.

A Community Left in the Dark

The numbers tell a different story than the official statements. In April 2024, more than 50 cybersecurity professionals sent an open letter to Congress, warning that NIST was not being transparent about the database's struggles. Neither NIST nor the Department of Commerce responded. The cybersecurity community, which depends on NIST's NVD to prioritize patching across government networks and private sector infrastructure, was left guessing.

The Fallout

The consequences have rippled outward. NIST recently narrowed its priorities for the NVD, focusing only on:

• Vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalog
• Software used by the federal government
• Critical software identified under Executive Order 14028

Everything else gets lower priority. Meanwhile, the broader vulnerability tracking ecosystem is fragmenting. The CVE program, run by CISA, nearly shut down before an eleventh-hour, 11-month contract extension saved it in April 2025. European nonprofits and private entities have stood up competing databases, aiming to coordinate how vulnerabilities are tracked, disclosed, and patched without relying on a single struggling federal program.

Six Fixes, One Deadline

The inspector general laid out six recommendations. NIST agreed with all of them. The agency must now:

• Create a long-term strategic plan for the database
• Establish a backlog clearance plan with specific, measurable goals
• Reduce unnecessary severity score calculations
• Make it easier for outside organizations to help identify affected products
• Immediately coordinate with CISA to stop duplicating work
• Develop a communication strategy to keep users informed

The deadline is late July. That is when NIST must submit a plan showing how it will address every item on the list. The cybersecurity community will be watching. They have been watching for a while now. And they have not received many answers.