A report from the US Commerce department’s inspector general blames the National Institute of Standards and Technology (NIST) for the ever-growing backlog of vulnerabilities for inclusion in the National Vulnerability Database (NVD). But cybersecurity practitioners say that the backlog, although very real, has been building for years, and that the government is doing little to help.
NIST defenders point to budget cuts that have made its mission far more difficult. And a potentially bigger issue is that the nature of vulnerability identification and patching has changed sharply over the last two years, via genAI developments that have dramatically increased the number of vulnerabilities discovered and accelerated of those discoveries. That raises questions about whether NVD processes need to be completely re-envisioned.
Inter-agency squabbles
The Inspector General’s report blamed NIST for a variety of management and strategy shortcomings.
“NIST’s lack of strategic planning and decisive action have allowed the backlog of unprocessed vulnerabilities to continue growing,” the report said, pointing out that NIST and the Cybersecurity and Infrastructure Security Agency (CISA) are operating two vulnerability enrichment programs with significant overlap, leading to duplicated efforts and waste of approximately $200,000 since May 2024. Additionally, it said, NIST’s insufficient communication has frustrated stakeholders and decreased confidence in the NVD.
The report also said, “NIST must improve the efficiency of enrichment processes to ensure sustainability. We estimate that NIST could put approximately $800,000 to better use over the next two years.”
It also attributed some of the issues with the vulnerability identification programs to bureaucratic infighting over the years, pointing out that for two years, CISA has been independently providing nearly all of the same enrichment data as NIST.
“Therefore,” it said, “an opportunity existed for NIST to leverage CISA’s data to expedite backlog reduction. However, NIST officials stated that the NVD system required technical updates to incorporate CISA’s enrichment data because the system lacked the capability to attribute data to specific sources.”
Because of this, before system updates and subsequent process changes were completed in March 2025, NIST refused to use CISA’s data because it would have appeared that an NVD analyst had performed the enrichment.
“While it is understandable that NIST wanted to be clear about the source of data in the NVD,” the report said, “it ultimately delayed vulnerability processing to distinguish whether enrichment was completed by NIST or CISA, both federal agencies with access to the same public information.”
Another example of inefficiency also involved enrichment: “In May 2024 … CISA launched its own vulnerability enrichment program, called Vulnrichment. At the time, CISA invited NIST to collaborate and issue a joint statement about the new program. However, NIST did not take part in a joint statement or issue any announcement about CISA’s program. Ultimately, the two programs have operated without coordination and have duplicated enrichment activities.”
NIST severity score calculations ‘may no longer be necessary’
Another concern cited was the reliability of NIST’s calculation of severity scores.
“To generate a severity score for vulnerabilities, NIST uses the industry standard Common Vulnerability Scoring System (CVSS). … Our review found that implementation is highly dependent on available information and professional judgment,” the report said, noting that in internal testing, severity scores among independent OIG evaluators matched just 12% of the time. “We concluded that severity scores vary depending on who performs the work and the information available to them.”
It added: “Traditionally, NIST calculated its own independent severity score for each vulnerability. NIST stated that it did so as part of its mandate to determine the nature and extent of information security vulnerabilities and independently assign severity metrics to identified vulnerabilities. However, NIST is not required to calculate a severity score for every vulnerability. Today, this approach may no longer be necessary and, considering the increasing volume of vulnerability submissions, is no longer sustainable.”
The IG report also included an official NIST response; CSO Online asked NIST for clarifications, but it did not respond before publication.
In that response, NIST said that it agreed with all of the report’s technical recommendations, mostly involving creating a better strategic plan for the NVD and a better backlog management plan, but that it disagreed with the tone and phrasing used.
“Rather than assess the impact of NIST’s actions in a fair, factual, and objective manner, this statement unnecessarily casts doubt on NIST’s intentions and priorities,” the NIST response, attributed to Acting Director Craig Burkhardt, said. “The Draft Report is replete with language that goes beyond objective, factual evaluation.”
Industry response
However, said some observers, while the AG report was accurate, it missed the bigger picture.
“The backlog is getting all the attention, but underneath it, this is a money story. CISA was covering close to half the NVD’s funding and then walked away from it, and NIST’s lab budget got cut on top of that. You can’t pull that kind of money out of something this important and then act surprised when it breaks,” said Jeff Williams, CTO at Contrast Security.
He noted the revelation that OIG analysts’ vulnerability severity calculations only matched NIST’s 12% of the time, suggests that the measure, used by IT to prioritizes fixes, “is barely better than guessing.” That should worry people more than the backlog does, he said.
Williams also argued that the manual parts of threat analysis no longer make much sense, pointing out that the “easy parts” of security such as scanning and ticketing are already automated.
“We got very good at producing findings and never got good at dealing with them. The real prevention work — threat modeling and looking hard at architecture — is still done by hand by a small number of senior people,” he pointed out. “We automated the wrong half. Where AI can be truly groundbreaking is helping with the expert work we could never hire enough people for, to prevent vulnerabilities in the first place.”
Braden Perry, a litigation, regulatory, and government investigations attorney at Kennyhertz Perry, also took issue with NIST’s defense that legal obligations forced it to make some of those decisions.
“It’s a lawyer’s argument and a partial one,” he said. “The law sets the mission. It doesn’t dictate the choices that created the backlog. Here’s the distinction: NIST cites [a federal rule] which directs the agency to assign severity metrics to open source software vulnerabilities. That’s a mandate. But it only covers open source software, not all vulnerabilities. It says ‘severity metrics,’ not CVSS.”
And, he said, the rule doesn’t tell NIST to recalculate a score that a vendor or CISA already produced; that was NIST’s decision. “So the mandate is narrow and the practice is broad,” he said, pointing out that the inspector general’s report made that clear.
“The statutes NIST cites don’t say how to run the database or what to produce,” he noted. “They leave the operational calls to NIST. On the central question, whether NIST was legally compelled into this backlog, the answer is no. The duty to keep the database running is real. The mess was a choice.”
NIST’s complaints, he said, “are management failures, not statutory commands. [NIST] spends most of its energy arguing that the report was unfair and lacked context. That is a process complaint. It is not a defense of the record.”
Erik Avakian, technical counselor at Info-Tech Research Group, said the NVD issues identified in the report are less of a concern than the fact that too many enterprises have grown addicted to NVD as their sole source of vulnerability truth.
“I would ask the question: why are we waiting for NIST to tell us something that’s important?” Avakian said. “Organizations that are relying so much on the NVD have deeper maturity problems because NVD should be treated as a support function to a vulnerability management program, not the entirety of it.”
Ishraq Khan, CEO of coding productivity tool vendor Kodezi, added that the changing scale of vulnerability discovery is the bigger issue.
“Cybersecurity infrastructure must scale at the same pace as vulnerability discovery. If discovery becomes exponentially faster through automation and AI, while enrichment and analysis remain heavily manual, the gap will continue widening,” Khan said.
“I suspect many CISOs will read this report less as an audit finding and more as a warning sign. The question is no longer whether vulnerabilities can be found. The question is whether the institutions responsible for organizing and prioritizing them can keep pace.”