Commerce IG faults NIST on 27,000-vulnerability NVD backlog
The database agencies automate around is now the bottleneck, and another watchdog has put a date on the capacity problem.
TL;DR
The Commerce Department inspector general found that NIST lacks sustainable processes for the National Vulnerability Database and cannot clear a 27,000-plus vulnerability backlog without significant changes. Federal agencies, primes, contractors and managed service providers that depend on NVD enrichment for automated vulnerability management face continued delays. The backlog has doubled since May 2024, and reported vulnerabilities are projected to top 60,000 annually in 2026.
The Commerce Department inspector general has put a harder edge on a problem vulnerability teams already felt in their ticket queues: the National Institute of Standards and Technology does not have a sustainable operating model for the National Vulnerability Database. According to Inside Cybersecurity’s account of the May 26 audit, the IG found NIST will be unable to clear more than 27,000 unprocessed vulnerabilities or prevent future processing delays without significant changes.
That matters because the NVD is not a reference shelf. Federal agencies, defense primes, contractors and managed service providers wire it into vulnerability management workflows to enrich raw CVE records with severity scoring and product applicability data. When enrichment lags, automated prioritization gets noisier, remediation queues get less defensible, and the people responsible for patch decisions have to substitute local judgment for the shared data set everyone built process around.
The ugly number is the growth rate. NIST awarded a new enrichment support contract in May 2024 and publicly targeted clearing a roughly 13,000-vulnerability backlog by September 2024. The IG said NIST did not have an internal plan or take decisive action to meet that goal, and the backlog grew to more than 27,000 by the end of 2025. The report also projects annual vulnerability submissions will exceed 60,000 in 2026, nearly ten times the volume from a decade earlier.
The IG’s remedy is not a slogan. It calls for a strategic plan for the NVD’s role in the vulnerability management landscape and a backlog management plan with capacity analysis, a target resolution date, milestones and processes that prioritize critical vulnerabilities. NIST’s April 2025 risk-based prioritization approach may be part of that answer. The open question is whether it is enough, or whether the NVD’s problem is simpler and less flattering: the federal vulnerability data pipeline has outgrown the staffing, funding and management model built to run it.
Published ·Updated ·Deep Fathom