Audit Slams NIST Over NVD Collapse: 27,000 CVE Backlog and $200,000 in Wasted Funds

A Department of Commerce OIG audit documents the systemic failure of the National Vulnerability Database pipeline, revealing a backlog of over 27,000 vulnerabi…

Audit Slams NIST Over NVD Collapse: 27,000 CVE Backlog and $200,000 in Wasted Funds

A Department of Commerce Office of Inspector General (OIG) audit, released on May 29, 2026, systematically documents how the National Institute of Standards and Technology (NIST) ineffectively managed the National Vulnerability Database (NVD). The report cites a lack of strategic planning, obsolete enrichment processes, and interagency duplication with CISA. These failures resulted in a backlog of over 27,000 un-enriched vulnerabilities, undermining the ability of defenders and security tools to consistently assess risk and prioritize patches.

Key Takeaways
  • The OIG identified four structural failures: the absence of a strategic plan, inefficient enrichment processes, overlapping responsibilities with CISA, and inadequate stakeholder communication.
  • The backlog of unprocessed vulnerabilities surged from approximately 13,000 in June 2024 to over 27,000 by the end of 2025, with annual reports projected to exceed 60,000 in 2026.
  • Between May 2024 and December 2025, NIST and CISA generated at least 21,000 instances of duplicated work using the same government contractor, resulting in an estimated waste of $200,000.
  • NIST’s calculated severity scores matched those of independent evaluators in only 12% of cases; in April 2026, NIST announced it would stop routine calculations and instead rely on CVE Numbering Authorities.

The 2024 Collapse: Two Years' Notice, Zero Action

The current crisis traces back to February 2024, when the support contract for vulnerability enrichment expired. According to the OIG audit, as reported by Help Net Security, NIST had two years of advance notice regarding the need for a new contractor but failed to have a replacement ready. The NVD program remained understaffed until late November 2024, leaving the database in a state of stagnation for nearly ten months.

By June 2024, the count of vulnerabilities awaiting enrichment stood at approximately 13,000. By the end of 2025, that figure more than doubled, surpassing 27,000 units. The OIG projects that annual reported vulnerabilities will exceed 60,000 in 2026—a nearly tenfold increase compared to a decade ago. NIST has confirmed it lacks a strategic plan for the NVD, admitting the deficiency to investigators.

"We project that in 2026 the yearly total of reported vulnerabilities will surpass 60,000. This represents a nearly tenfold increase from a decade ago, further challenging NIST's ability to resolve the backlog" — US Department of Commerce Office of Inspector General (OIG)

Enrichment as a Manual Bottleneck

The core of the failure lies in the CVE enrichment pipeline. NIST receives raw reports from MITRE and is tasked with adding structural metadata: CVSS scores, CWE identifiers, CPE tags for affected products, and operational context. According to CyberScoop, approximately 80% of analyst workload was concentrated on two tasks: calculating severity scores and identifying affected products. Paradoxically, about 80% of vulnerability submissions already included a severity score from the submitter, making much of NIST's work redundant from the start.

Output quality was equally problematic. NIST’s severity scores matched independent evaluators only 12% of the time, CyberScoop reports. While NIST publicly committed to clearing the backlog by September 2024—targeting 6,200 vulnerabilities per month—the agency had never processed more than 5,000 per month in its history. The commitment was mathematically impossible under the existing architecture.

NIST-CISA Duplication: Same Contractor, Same Vulnerabilities

One of the audit's most striking findings involves the overlap with CISA. In May 2024, CISA launched "Vulnrichment," a parallel CVE enrichment program, without coordinating with NIST. Both agencies utilized the same government contractor and frequently completed the same tasks on the same vulnerabilities. The OIG identified at least 21,000 cases of duplicated work between May 2024 and December 2025, wasting an estimated $200,000. CyberScoop adds that NIST expects to save $800,000 over two years simply by ceasing its independent severity score calculations.

The failure to divide responsibilities between the two agencies exacerbated structural issues. CISA did not renew financial support for the NVD program in 2024, plunging NIST into a resource crisis that the agency failed to manage through reorganization or automation. The result was competition for scarce resources rather than functional complementarity.

Abdicating Universality: The New April 2026 Policy

NIST’s response to the impasse has been a de facto abandonment of its role as a universal enricher. In April 2026, the agency announced it would only enrich high-risk subsets: vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, government software, and software deemed critical under Executive Order 14028. NIST will stop routinely calculating its own severity scores, relying instead on those provided by CVE Numbering Authorities. Metadata for the remaining vulnerabilities must now come from the private market or remain as raw data.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop regarding the April decision: "They had to do something. NIST was woefully behind on classifying CVEs and would likely never have caught up." Childs added: "I'm not sure if it was a herculean task or a sisyphean one, but either way, they were set up for failure under their previous system."

This policy marks a major shift in global vulnerability management architecture. The NVD, established in 2005 as a central repository, served as a unified trust layer over the raw MITRE feed. Its erosion forces scanning tools, patch prioritization platforms, and federal compliance frameworks toward alternative sources—such as VulnCheck, European services, or proprietary vendor data—risking semantic fragmentation over what constitutes reliable "enriched" data.

Why It Matters

The dossier does not specify the concrete operational impact of the new prioritization policy on existing vulnerability management tools, nor does it detail the current implementation status of the six OIG recommendations accepted by NIST. CISA’s specific reaction to the duplication findings is not documented in the brief, nor is the potential outcome of the NVD Consortium announced in 2024.

Furthermore, the source does not clarify how the transition to a selective model will affect the historical fidelity of NVD data. CVSS, CPE, and CWE time series are standard inputs for risk quantification models and regulatory requirements. A systematic change in coverage introduces methodological discontinuities that data consumers must manage independently. The brief lists no mitigations for this effect.

NIST is required to present a formal action plan to the OIG by July 25, 2026. Verification of the content and consistency of that plan is not currently available in the examined sources.

FAQ

Are the vulnerabilities in the backlog invisible or untraceable?
No. The CVEs exist in the MITRE feed; they simply lack NVD enrichment (CVSS, CWE, CPE). The issue is the quality and completeness of the metadata, not basic traceability.
Does CISA Vulnrichment completely replace the NVD?
No. The two programs overlap rather than substitute for one another. Both cover enrichment but without coordination, leading to duplication instead of complementarity.
Is this a technical issue (bug, breach) or a management failure?
The audit highlights governance and planning failures: a lack of strategy, non-scalable manual processes, and a failed contractual transition. It is not a cybersecurity incident in the conventional sense.

Information has been verified against the cited sources and is current as of the time of publication.

Sources