The U.S. Department of Commerce Office of Inspector General (OIG — the federal watchdog agency that independently audits government programs) has published a formal audit of NIST's management of the National Vulnerability Database (NVD — the world's primary public repository for CVE vulnerability metadata, including severity scores, affected product versions, and remediation guidance), finding a backlog that grew to more than 27,000 unprocessed vulnerability records, severity scoring that matched independent evaluators only 12% of the time, and at least 21,000 cases of duplicated effort with CISA's parallel Vulnrichment program — wasting approximately $200,000 in taxpayer funds. CyberScoop reported the IG findings on May 29, 2026. NIST agreed with all six IG recommendations and must submit an implementation plan by late July 2026.
// 01 NIST NVD: What the Inspector General Found
The NIST NVD — National Vulnerability Database, operated by the National Institute of Standards and Technology — has served since 1999 as the central reference for vulnerability metadata. Every CVE (Common Vulnerabilities and Exposures — a numbered identifier assigned to a publicly disclosed security flaw) receives an NVD entry that enriches the raw CVE with CVSS (Common Vulnerability Scoring System) severity scores, CPE (Common Platform Enumeration — standardized product identifiers used to match a CVE to specific software versions) strings, and links to vendor advisories. Security teams, vulnerability scanners, SIEM platforms, and compliance frameworks worldwide rely on NVD data to prioritize remediation work.
The Commerce Inspector General's audit documents a systematic breakdown across four dimensions:
The backlog grew beyond all targets. In early 2024, NIST's processing of new CVE submissions collapsed after the termination of a key support contract. The backlog of unanalyzed vulnerabilities grew from approximately 13,000 in June 2024 to over 27,000 by the end of 2025. NIST publicly promised to clear the backlog to zero by September 2024 — a promise it never achieved, and a target that required processing 6,200 CVEs per month when NIST's prior maximum throughput was 5,000 per month. Rather than clearing the backlog, NIST announced in April 2026 that all CVEs with an NVD publish date before March 1, 2026 would be categorized as "Not Scheduled," effectively moving the backlog off the books rather than processing it.
Severity scoring accuracy was critically low. NVD analysts independently re-score CVEs against vendor-provided CVSS scores. The IG audit found that NIST's severity scores matched those of independent evaluators only 12% of the time — meaning 88% of NVD severity scores differ from what a qualified independent analyst would assign. NIST analysts spend roughly 80% of their processing time on severity scoring and product identification. The IG found that approximately 80% of CVE submissions already included vendor-provided CVSS scores, making NIST's recalculation largely redundant — and inaccurate.
Duplication with CISA wasted $200,000. CISA (Cybersecurity and Infrastructure Security Agency) launched its own Vulnrichment program in May 2024 to address the NVD backlog. The two agencies — both U.S. government entities both working on the same problem — failed to coordinate, resulting in at least 21,000 cases where NIST and CISA processed identical CVEs independently. Both agencies hired the same contractor for portions of the same tasks. The IG estimates approximately $200,000 in duplicated labor costs.
Communication failures persisted. Over 50 cybersecurity professionals sent an open letter to NIST and the Commerce Department in April 2024 expressing concern about NVD processing delays and transparency. Neither agency responded. The IG audit identified this non-response as a finding.
// 02 Impact on the Security Industry
The NIST NVD's dysfunction has concrete downstream effects on every organization that uses vulnerability scanners, SIEM platforms, or compliance frameworks:
Vulnerability scanners produce incomplete results. Tools like Qualys, Tenable Nessus, Rapid7 InsightVM, and dozens of others enrich their scan results with NVD metadata — CVSS scores, affected version ranges, and CPE identifiers. When a CVE has no NVD entry (because it is in the backlog), scanners either report it with incomplete metadata or miss it entirely. Security teams cannot prioritize what they cannot score.
Compliance frameworks break. Frameworks like FedRAMP (Federal Risk and Authorization Management Program — the U.S. government's cloud security authorization program), SOC 2, and PCI DSS require vulnerability management programs that remediate vulnerabilities based on severity scores. If severity scores are absent or wildly inaccurate — the IG found a 12% accuracy rate — compliance determinations become unreliable.
The CISA Vulnrichment program is the de facto replacement. CISA's program, launched in response to the NVD crisis, enriches CVEs directly through the CVE.org infrastructure. Many downstream consumers have already shifted to CISA Vulnrichment data as their primary source. The IG's finding that NIST and CISA duplicated 21,000 entries raises the question of whether the two programs should be formally consolidated.
// 03 NIST's Response
NIST accepted all six of the Inspector General's recommendations and must submit an implementation plan by late July 2026. Separately, in April 2026, NIST announced operational changes: the agency will prioritize enriching only the highest-risk CVEs going forward, and all backlogged CVEs with NVD publish dates before March 1, 2026 will be moved to a "Not Scheduled" category. This decision effectively abandons enrichment of the historical backlog rather than clearing it.
NIST's April 2026 announcement frames this as adaptation to CVE volume growth — CVE submissions increased 263% between 2020 and 2025. The IG frames it differently: as the product of poor planning, a missed remediation target, and organizational failures to coordinate with a parallel program at CISA.
// 04 What Security Teams Should Do
- Supplement NVD with CISA Vulnrichment data. Many vulnerability management platforms allow configuring alternative CVSS data sources. Check whether your scanner vendor has updated their data pipeline to incorporate CISA Vulnrichment entries for CVEs that lack NVD enrichment.
- Use vendor advisory data directly for high-risk CVEs. For any critical or high-severity CVE affecting your stack, do not rely solely on NVD metadata. Pull the vendor advisory directly for accurate affected version ranges and CVSS vectors.
- Flag the gap in your vulnerability management program. The combination of incomplete NVD metadata and low scoring accuracy means your scanner's risk-ranked finding list may have significant inaccuracies. Document this as a known gap in program communications.
- Monitor NIST's July 2026 implementation plan. If NIST's response to the IG recommendations includes meaningful operational changes — additional staffing, automation, or formal consolidation with CISA — update your data pipeline strategy accordingly.
// 05 Conclusion
The NIST NVD is the backbone of global vulnerability management, and the Inspector General's audit confirms what practitioners have known for two years: it is failing. A 27,000-CVE backlog, 12% scoring accuracy, and $200,000 in wasteful duplication with CISA represent not just an operational problem but a systemic risk to the security industry's ability to prioritize and respond to vulnerabilities. NIST's agreement to the IG's six recommendations and the July 2026 implementation plan deadline are the next milestones to watch.
For any query contact us at contact@cipherssecurity.com