Evaluation of NIST’s Management of the National Vulnerability Database

View Report

Title Full

Date Issued

Tuesday, May 26, 2026

Submitting OIG

Department of Commerce OIG

Agencies Reviewed/Investigated

Department of Commerce

Components

National Institute of Standards and Technology

Report Number

OIG-26-020-I

Report Description

Identifying and resolving security flaws and weaknesses in IT infrastructure—known as vulnerability management—helps prevent cyberattacks, data breaches, and system disruptions. The National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST), provides data for vulnerability management to cybersecurity professionals in the public and private sectors. A backlog of unprocessed vulnerabilities began in February 2024 and continued to grow, undermining the NVD’s utility and public trust.

Our objective was to evaluate the effectiveness and sustainability of NIST’s processes for managing cybersecurity vulnerabilities submitted to the NVD, including the long-term effectiveness of NIST’s strategy for reducing its vulnerability backlog and its measures to prevent future processing delays. NIST considers the NVD a key piece of the U.S. cybersecurity infrastructure, but its actions to resolve the growing backlog did not reflect that characterization. We found that NIST did not have sustainable processes to manage NVD submissions and would be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes.

We made six recommendations to help NIST manage and establish priorities for the NVD, improve the efficiency and sustainability of enrichment processes, and ensure the best use of government resources.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

$200,000

Funds for Better Use

$800,000

Report updated under NDAA 5274

External Link

https://www.oig.doc.gov/reports/?entry=70787

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend that the Under Secretary of Commerce for Standards and Technology instruct the ITL Director to create a strategic plan for the NVD that reflects the NVD’s role in the overall vulnerability management ecosystem, establishes priorities, and ensures long term sustainability of processing capacity.
2	No	$0	$0
We recommend that the Under Secretary of Commerce for Standards and Technology instruct the ITL Director to establish a backlog management plan that includes (1) an analysis of constraints and capacity, (2) a target date for resolving the backlog, (3) milestones to meet that goal, and (4) processes that prioritize critical vulnerabilities.
3	No	$0	$800,000
We recommend that the Under Secretary of Commerce for Standards and Technology instruct the ITL Director to define in policy a strategy to minimize NIST’s efforts to calculate severity scores. Implementing this recommendation can put approximately $800,000 to better use.
4	No	$0	$0
We recommend that the Under Secretary of Commerce for Standards and Technology instruct the ITL Director to ensure that the NVD has an efficient method for external parties to contribute to the enrichment of CPE applicability statements.
5	No	$200,000	$0
We recommend that the Under Secretary of Commerce for Standards and Technology instruct the ITL Director to immediately begin coordinating with CISA to avoid duplicate enrichment activities and ensure the best use of government resources. Implementing this recommendation will prevent duplicate efforts that have already led to $200,000 in waste.
6	No	$0	$0
We recommend that the Under Secretary of Commerce for Standards and Technology instruct the ITL Director to develop a communication strategy to keep stakeholders informed and instill confidence in the NVD.