Data Breach TodayArchived Jun 03, 2026✓ Full text saved
Auditors Accuse Agency of Mismanagement and Program Overlap Management by the National Institute of Standards and Technology of a repository of vulnerability data came under sharp criticism from federal auditors who said the agency approached it with "lack of strategic planning and decisive action."
Full text archived locally
✦ AI Summary· Claude Sonnet
Governance & Risk Management , Government , Industry Specific
Auditors Rip NIST Management of NVD Program
Auditors Accuse Agency of Mismanagement and Program Overlap
Greg Sirico • June 2, 2026
Credit Eligible
Get Permission
NIST's inability to keep up with record-setting levels of vulnerabilities by adding context such as severity scores and technical descriptions became acute starting in February 2024, when a contract for private sector support lapsed.
See Also: New Trend in Federal Cybersecurity: Streamlining Efficiency with a Holistic IT Approach eBook
The agency earlier this year announced it would stop attempting to make comprehensive entries for every new flaw tracked by the Common Vulnerabilities and Exposures in favor of a risk-based approach that takes its cue from the catalog of known exploited vulnerabilities maintained by the Cybersecurity and Infrastructure Security Agency.
Especially with the advent of new bug-hunting artificial tools, the number of annual CVEs has skyrocketed. Researchers found 40,000 new vulnerabilities in 2025 and are on track to identify 60,000 this year (see: AI-Driven Bug Tsunami Prompts Exploitability Questions).
A report from the Department of Commerce's Office of the Inspector General covering the period between October 2023 and December 2025 places blame for the backlog at the hands of agency staff.
The contract lapse "led to a virtual stoppage of vulnerability processing," increasing the number of backlogged vulnerabilities from 13,000 in June 2024 to over 27,000 by the end of 2025. The report projects the backlog will surpass 60,000 unprocessed vulnerabilities.
Auditors said NIST failed to prioritize the most critical vulnerabilities, was slow in integrating enrichment data provided by CISA and maintained inefficient processes. The report also concluded that NIST and CISA operated "overlapping vulnerability enrichment programs," citing 21,000 examples between May 2024 and December 2025 of duplicated enrichment actions.
A major source of delay in enriching CVEs has been calculating the risk score attached to them, using Common Vulnerability Scoring System methodology. "Although the standard is well defined, our review found that implementation is highly dependent on available information and professional judgment," auditors wrote. Simply adopting CVSS scores calculated by software vendors, who presumably have access to undisclosed risk information not available to NIST, would save the program roughly $800,000 over two years, auditors calculated.
The report contains six key recommendations including drafting a strategic plan for the NVD as well as a backlog management plan and coordinating more closely with CISA.
The agency, while agreeing with OIG's recommendations, pushed back on portions of the report, stating that auditors didn't "sufficiently address certain statutory requirements that impact NIST's management of the NVD."
NIST also took exception to auditors' characterization that NIST action to resolve the backlog "do not reflect" the agency's characterization of the NVD as a key piece of U.S. cybersecurity infrastructure. "This statement unnecessarily casts doubt on NIST's intentions and priorities," agency official wrote.