A Department of Commerce inspector general report released Thursday said the National Institute of Standards and Technology mismanaged the National Vulnerability Database, citing poor planning, inefficient operations, duplicate federal programs and weak communication. The database had a backlog of more than 27,000 unprocessed security flaws by the end of 2025, up from about 13,000 in June 2024.
KEY FACTS
- Backlog Unprocessed vulnerabilities grew after the enrichment contract lapsed in February 2024.
- Planning gap NIST leaders had no long-term plan for clearing the backlog.
- Inefficiency Analysts spent about 80% of their time on severity scoring and identifying affected products.
- Duplication The report found at least 21,000 cases of duplicated work with CISA’s Vulnrichment program.
The inspector general report said NIST publicly promised in May 2024 to clear the backlog by September 2024, but the agency had never processed more than 5,000 vulnerabilities a month and had set a goal of 6,200 a month. It also said NIST officials admitted they had no long-term plan for the database.
The report said the agency’s severity scores matched independent evaluators only 12% of the time. It also found that nearly 80% of submissions already included severity scores from software vendors, which made much of the work unnecessary. The inspector general estimated that reducing that effort could save $800,000 over two years.
The report also described a manual process for identifying affected products, which slows analysts and adds to the backlog. NIST is developing tools to speed that work, but the report said it remains a major bottleneck.
On duplication, the report said NIST and CISA did not coordinate when CISA launched its Vulnrichment program in May 2024. It said the agencies sometimes repeated the same work and even hired the same contractor for parts of it, wasting about $200,000 between May 2024 and December 2025. Over 50 cybersecurity professionals also sent Congress an open letter in April 2024 complaining that the database problems were not being communicated clearly.
WHY IT MATTERS
The database helps security teams decide which flaws to fix first, so delays and duplicate work can slow patching across government and private industry. NIST agreed with all six recommendations and must submit a plan by late July.