Federal Audit Reveals NIST's NVD Is Plagued by Poor Planning and Duplication

Commerce IG Audit Exposes Deep Problems Inside NIST's Vulnerability Database

A formal audit report from the U.S. Department of Commerce's Office of Inspector General has laid bare systemic problems inside the National Vulnerability Database (NVD) — the world's most widely used public repository for standardized vulnerability metadata. The report details how poor planning, inadequate oversight, and a failure to coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) allowed a backlog of more than 27,000 unprocessed security flaws to accumulate unchecked.

The NVD is maintained by NIST (National Institute of Standards and Technology) and serves as the authoritative source of CVE enrichment data — CVSS scores, weakness classifications, affected product information, and remediation references — used by security teams, scanners, and patch management systems worldwide. Delays in processing vulnerabilities translate directly into slower patch prioritization across thousands of organizations that rely on this data.

What the Audit Found

A Backlog That Grew Unchecked

The Inspector General's report found that NIST lacked adequate internal controls to prevent the NVD's processing backlog from ballooning. The backlog — now exceeding 27,000 unanalyzed CVE entries — grew because:

• Staffing and resource planning failed to keep pace with the accelerating rate of CVE disclosures globally. The number of new CVEs submitted each year has grown dramatically, and NIST did not adequately model or plan for this trajectory.
• No escalation mechanism existed to flag when processing times crossed acceptable thresholds, allowing the backlog to compound over months without triggering remediation.
• Performance metrics were insufficient to give leadership visibility into the true scope of the problem as it developed.

The practical effect: security teams relying on NVD data for newly disclosed vulnerabilities may find enrichment metadata missing or months out of date, degrading the effectiveness of vulnerability management programs built on NVD feeds.

Duplication with CISA Programs

The audit also found that NIST and CISA were performing overlapping work on vulnerability enrichment — a waste of federal resources at a time when both agencies face budget pressure and competing demands. CISA has been expanding its own Known Exploited Vulnerabilities (KEV) catalog and vulnerability enrichment capabilities, in part to compensate for NVD delays.

Rather than coordinating their programs to divide labor and maximize coverage, the two agencies were "duplicating work," according to the IG's findings. The report calls for improved interagency coordination to eliminate redundant effort and focus both agencies on complementary roles.

Governance and Accountability Gaps

Beyond the operational failures, the audit identified governance weaknesses including:

• Insufficient executive oversight of NVD program health
• A lack of documented performance targets for enrichment timelines
• No formal process for managing contractor and staffing capacity against variable workload

Why This Matters for Defenders

The NVD's status as a foundational piece of the global vulnerability management ecosystem means these failures have real downstream consequences.

CVSS scores and CPE mappings delayed → Automated vulnerability scanners that depend on NVD metadata return incomplete or inaccurate results for newly published CVEs, forcing security teams to manually research or accept risk without data.

Patch prioritization degraded → Many organizations use CVSS scores as a primary filter for determining which vulnerabilities to patch first. If scores aren't published for weeks or months after CVE assignment, organizations may deprioritize critical flaws without realizing their severity.

Third-party tools affected → Security information and event management (SIEM) systems, vulnerability management platforms, and asset management tools that ingest NVD feeds will reflect the gaps and delays, degrading the overall quality of intelligence available to defenders.

The IG report validates what many practitioners have observed in practice since early 2024, when NVD processing times began visibly deteriorating.

Background: The NVD Processing Crisis

The problems identified in this audit are not new. The security community noticed a sharp increase in unprocessed CVE entries beginning in early 2024, when NVD began falling behind on enriching newly published vulnerabilities with CVSS scores and CPE data. NIST attributed the delays at the time to process changes, an increase in software and therefore vulnerabilities, and work to update how it handles software identification.

The IG audit now places those failures in a governance context: the problem wasn't just external volume pressure, but internal planning failures that left the program unable to respond to a foreseeable scaling challenge.

CISA and NIST have announced coordination efforts aimed at addressing the gap. The federal cybersecurity community has also discussed whether the NVD model — a single government agency manually enriching thousands of CVEs annually — remains sustainable as the pace of vulnerability disclosure continues to accelerate.

What the Recommendations Say

The IG report includes recommendations for NIST to:

1. Develop and implement a formal workload management plan that aligns staffing and resources with CVE processing volume
2. Establish measurable performance targets for enrichment timelines and publish them publicly
3. Coordinate with CISA to formalize the division of labor between NVD and CISA vulnerability programs
4. Implement monitoring and escalation processes to catch and address backlogs before they become critical

NIST's response to the audit and whether it concurred with recommendations was not detailed in reporting available at publication time.

What Organizations Should Do

Until the backlog is resolved and NVD processing returns to consistent timelines, security teams should:

• Supplement NVD data with additional threat intelligence sources (vendor advisories, CISA KEV, security research feeds) for newly published vulnerabilities
• Avoid sole reliance on CVSS scores from NVD for newly disclosed CVEs — cross-reference with vendor advisories and exploit availability data
• Monitor the NVD processing status page for real-time information on enrichment lag
• Track CISA KEV additions as a high-confidence signal for actively exploited vulnerabilities, independent of NVD enrichment status

The IG audit confirms what many security teams have worked around for over a year. Whether the recommendations translate into operational improvements — and on what timeline — will determine whether NVD can reclaim its role as a reliable, timely foundation for vulnerability management programs.

Sources: Cyberscoop reporting on the Commerce Office of Inspector General audit of NIST's NVD program, published May 29, 2026.