During my recent trip to the East Coast several people linked an article from Recorded Future to me since it was on a topic I have written extensively about. The article covered a May 26 report from the Office of the Inspector General (OIG) at the Department of Commerce that was summarized as “mistakes have been made” in the operation of National Vulnerability Database (NVD). The universal theme in comments made to me were along the lines of “they could have just asked you!“
So the tl;dr for this is they are right. I have written a considerable amount about NVD on this blog as well as social media and LinkedIn. Specifically, I have been critical of NVD’s slow speed in enrichment, extensive backlog, ridiculous budget, fuzzy statistics, and giving up. It is logical to assume that the OIG had to write a formal report for some reason or another but it is curious why it wasn’t done before 2026. On the upside the report is clear and does not hold back.
Just like it generally took the industry too long to notice and fully understand NVD’s shortcomings, we have to ask why it took an OIG so long to investigate and write such a report as well. The satirical idiom, “the speed of government” seems to be a universal constant in this case, with both NVD’s lack of action as well as OIG auditing.
I honestly didn’t read the Recorded Future article past the headline, nor another article frequently linked to me. Instead of doing that now I would rather highlight some bits from the report and offer some additional commentary. First, let’s establish what the audit covered precisely:
Our objective was to evaluate the effectiveness and sustainability of the National Institute of Standards and Technology’s (NIST’s) processes for managing cybersecurity vulnerabilities submitted to the National Vulnerability Database (NVD), including the long-term effectiveness of NIST’s strategy for reducing its vulnerability backlog and its measures to prevent future processing delays.
The OIG also asks the question, “Why this matters?” and their summary has some crucial elements to remember. The answer they provide is spot on. I have added bolding which is my emphasis:
The NVD provides crucial data to cybersecurity professionals in the public and private sectors. Through a process called enrichment, NVD analysts update vulnerability records with actionable information that cybersecurity professionals use to prioritize and remediate the vulnerabilities in software and systems. Timely NVD enrichment is essential to defend against cyber threats. A backlog of unprocessed vulnerabilities began in February 2024 and has continued to grow, undermining the NVD’s utility and public trust.
Next, the report gives four bullets that summarize major findings. The first bullet is a sad indictment of NVD staff, but something I have pointed out for a long time. Both MITRE’s CVE team and NIST’s NVD, while running these critically important vulnerability databases (VDB), are not staffed by VDB experts. Also, no it is not trivial to properly run one, despite seeming so on the surface. From the report:
What We Found
• NIST’s lack of strategic planning and decisive action have allowed the backlog of unprocessed vulnerabilities to continue growing.
• NIST must improve the efficiency of enrichment processes to ensure sustainability. We estimate that NIST could put approximately $800,000 to better use over the next 2 years.
• NIST and the Cybersecurity and Infrastructure Security Agency are operating two vulnerability enrichment programs with significant overlap, which has led to duplicated efforts and wasted approximately $200,000 since May 2024.
• NIST’s insufficient communication has frustrated stakeholders and decreased confidence in the NVD
It’s almost as if the OIG just read my blogs and LinkedIn posts on the topic of the CVE ecosystem and NVD specifically. These are all points I have been making for many years. I do find it curious why they say only $800k could be put to better use when it seems as if NVD is squandering a much bigger budget. Does this mean the OIG thinks that the rest of their funding is being spent well? I certainly hope not.
The report also calls out the overlap in enrichment efforts by CISA and the NVD. I pointed this out in September, 2024, when I sent in a Freedom of Information Act (FOIA) request for the respective contracts that overlap. Later the report says the two “wasted approximately $200,000 since May 2024.” I suspect that number is much higher. In reality, MITRE, NIST, and CISA have such incredible overlap it is the biggest contributor to wasteful spending. The entire CVE ecosystem, as managed by those three agencies, should be run by one team under one house. The lack of efficiency on top of wasteful spending borders on comically absurd.
In the 30 days leading up to April 7, 2026, NIST reported that the NVD had approximately 300,000 unique users who downloaded an average of 22 terabytes of data every day.
For several years there have been ongoing complaints about the NVD API response times and availability. Companies like Flashpoint and VulnCheck, among others, have made a point to capture the NVD data and make it available via their own APIs to help customers avoid these issues. What is sad to me is that so many people continued to download NVD data despite the tens of thousands of vulnerabilities that remained unenriched. Banging your head against the wall repeatedly won’t make the data appear faster.
In February 2024, NIST’s NVD program experienced a contract lapse that led to a virtual stoppage of vulnerability processing, resulting in an unprecedented backlog.
It’s curious that the OIG did not provide more context here. At VulnCon in 2024 we learned directly from NVD staff that the funding was provided by CISA. Based on what was conveyed it was not a “contract lapse” and more a decision by CISA to stop the funding. The wording used by Tanya Brewer at the time was “contract administration issue” but the subsequent attempt at an explanation did not come across as a failure to “meet a deadline or satisfy a mandatory condition.” If that occurred then details were not made public to the best of my recollection. Given the following year CISA halted MITRE’s funding for CVE only to agree to it at the last minute strongly suggests there is something else going on. I have said many times I think this was a CISA power play to pull NVD and the CVE program in house but likely got derailed due to the CISA funding cuts in 2025.
Over the last two years many of us, myself included, have kept track of the NVD backlog. However, this chart is more damning as it puts the backlog versus actual work into better perspective.
The report goes into NVD’s enrichment specifically related to Common Platform
Enumeration (CPE), the piece of metadata that makes the vulnerability information programmatically consumable by applications and a critical piece for operationalizing this data. In May, 2025, I wrote a blog related to Tom Alrich’s ideas around a new VDB and went into some detail about the CPE problem in the second heading. The OIG observed some of the same attributes and problems while giving us an interesting tidbit which I have bolded.
Analysts spend the majority of the NVD enrichment process assigning a Common Platform Enumeration (CPE) applicability statement to each vulnerability. [..] NIST is solely responsible for maintaining the CPE dictionary of the standardized names used to build applicability statements, which are critical for automated vulnerability management.
In the next paragraph the OIG calls out the problem of NVD holding CPE hostage:
Additionally, NIST does not currently offer a tool for external parties to update or submit content to the CPE dictionary. Instead, updates are submitted via email, and NVD analysts must manually process each request. The time NVD analysts spend on this task is time taken away from clearing the backlog or processing new vulnerabilities.
From here the report goes back to the duplicated effort of having one company provide enrichment for both NVD and CISA. However, in their comparison of activity between the two it is important to note the OIG also appears to lack a full understanding of the enrichment landscape. Yes this is pedantic but at the same time absolutely critical:
The top line alone will hopefully raise eyebrows since the Common Vulnerability Scoring System (CVSS) has three distinct frameworks that are all used today. Version 2, 3, and 4 are quite different in their approaches but some companies are holdouts and do not adopt the latest versions. Risk Based Security wrote an open letter to FIRST about the problems with CVSSv2, and wrote an eight-part blog series on the shortcomings of CVSSv3 (now summarized in one blog by Flashpoint). It should be no surprise that CVSSv4 also has some serious issues that keep it from being more widely adopted. The Exploit Maturity metric alone makes me believe that the writers of the framework do not work with vulnerability intelligence.
This chart is vague in that it says both NIST and CISA “Assign a severity score using the CVSS”. This is important because NIST’s NVD no longer scores using v2 and has not adopted v4 unless a vendor does first. Likewise, CISA does not provide scores for all three frameworks which is beneficial to organizations using this data. You cannot assume that everyone is using a given framework and each one does not cleanly translate to the other in most cases. That means provided a CVSSv3 score, there isn’t a trivial conversion to v2 or v4.
Overall the OIG report is fairly short when you ignore the intro or appendices. Despite that, the body of the report is accurate in calling out NVD and identifies several critical issues that have led them to become inefficient, ineffectual, and a liability to the global vulnerability ecosystem. With NVD’s throwing in the towel and giving up on enriching most vulnerabilities, organizations that rely on CVE and NVD’s enrichment are no doubt hurting at this point. I’d love to see a direct correlation of this to the amount of breaches that occur but that type of data has remained elusive for a long time.
Either way, if you are a U.S. taxpayer, it is time to demand better.
Leave a Reply