Auditors Accuse NIST of Mismanagement in Vulnerability Program
In a report publicized by the Department of Commerce’s Office of the Inspector General, serious criticisms have been directed toward the National Institute of Standards and Technology (NIST) for its handling of the National Vulnerability Database (NVD). The audit, which spans the period from October 2023 to December 2025, highlights significant mismanagement issues, particularly an alarming backlog of vulnerabilities and program overlap with the Cybersecurity and Infrastructure Security Agency (CISA).
The troubles at NIST began to intensify in February 2024, when a critical contract for private sector support expired. This lapse precipitated a staggering backlog of vulnerabilities being processed, growing from 13,000 reported cases in June 2024 to an astonishing 27,000 by the end of 2025. According to projections, the backlog is expected to surpass 60,000 unprocessed vulnerabilities in the near future.
Compounding the issue is NIST’s recent strategic shift toward prioritizing a risk-based approach rather than striving for comprehensive entries for every new flaw identified. This marks a significant pivot from their previous methods, opting to align more closely with CISA’s catalog of known exploited vulnerabilities. However, this decision has raised questions amid the rapidly escalating number of vulnerabilities reported each year. In 2025 alone, researchers identified an unprecedented 40,000 new vulnerabilities, and projections for the current year indicate a potential increase to 60,000. The rise in reported vulnerabilities has largely been attributed to advancements in artificial intelligence-driven bug-hunting tools.
Auditors have singled out NIST’s failure to effectively manage its processes and prioritize the most critical vulnerabilities as key factors contributing to the backlog. Furthermore, the report notes inefficiencies regarding the integration of enrichment data provided by CISA, with plenty of overlap between the two agencies’ vulnerability enhancement programs. Of particular concern is the identified duplication of 21,000 enrichment actions from May 2024 to December 2025, suggesting a lack of communication and coordination between NIST and CISA.
The complexity of calculating risk scores for vulnerabilities using the Common Vulnerability Scoring System (CVSS) has also played a significant role in delaying the enrichment of vulnerabilities. Although the CVSS standard is well-established, the report indicates that the execution of this scoring methodology is heavily reliant on available information and subjective professional judgment. Auditors have pointed out that leveraging CVSS scores calculated by software vendors—who might possess confidential data not accessible to NIST—could streamline processes and potentially save the program approximately $800,000 over the course of two years.
Overall, the report lays out six pivotal recommendations aimed at rectifying the issues identified. Among these recommendations is the urgent need for NIST to draft a strategic plan for the NVD, implement a comprehensive backlog management strategy, and enhance coordination with CISA to eliminate unnecessary overlaps and inefficiencies.
While NIST expressed agreement with many of the recommendations put forth by the Office of the Inspector General, they contested certain conclusions within the report. Agency officials expressed concern that auditors did not sufficiently address specific statutory requirements that influence how NIST manages the NVD. This contention reflects a broader tension between the auditors’ evaluation and NIST’s efforts to clarify its role within the framework of U.S. cybersecurity infrastructure.
The agency has also taken issue with the characterization of its attempts to address the backlog as inadequate, arguing that such statements cast unwarranted doubt on NIST’s commitment and priorities. In the statements provided, NIST officials insist that their actions reflect a strong intent to resolve the ongoing challenges faced by the NVD and reinforce its importance in securing national cybersecurity.
In conclusion, the auditors’ report not only sheds light on the profound mismanagement and systemic flaws within NIST but also underscores the mounting challenges in the realm of cyber vulnerability management. As the number of vulnerabilities escalates, it remains vital for organizations like NIST to enhance their operational strategies and improve coordination with other cybersecurity institutions. The ramifications of these oversights have far-reaching implications for national security and the efficacy of U.S. cybersecurity measures.