Full Report
NIST’s National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, “undermining the NVD’s utility and public trust," according to an inspector general report.
Analysis Summary
# Industry News: NIST National Vulnerability Database Crisis Reaches Critical Breaking Point
## Summary
A Department of Commerce Inspector General report has revealed a catastrophic backlog in the National Vulnerability Database (NVD), which expanded from 13,000 unprocessed flaws in early 2024 to over 27,000 by late 2025. The report cites "mismanagement," "poor planning," and a failure to coordinate with CISA as primary reasons for the database's decline, effectively rendering the U.S. government’s primary vulnerability tool ineffective.
## Key Details
- **Date:** June 1, 2026 (Report Release)
- **Companies Involved:** National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), Department of Commerce.
- **Category:** Regulatory/Government Policy & Operational Failure
## The Story
The NVD, long considered the "gold standard" for security professionals to track and prioritize software flaws, entered a period of steady decline beginning in February 2024 when NIST halted payments to essential processing contractors. Despite public pledges to clear the backlog by late 2024, the agency failed to meet its monthly processing goals, often aiming for volumes it had never historically achieved.
The audit uncovered significant bureaucratic friction, including "insufficient communication" between NIST and CISA. Notably, both agencies unknowingly hired the same contractor to perform identical vulnerability work, wasting approximately $200,000. Furthermore, NIST’s internal vulnerability scoring was found to be largely redundant, as 80% of submissions already included scores from vendors, and NIST’s independent assessments only matched industry peer scores 12% of the time.
## Business Impact
### For the Companies Involved
- **NIST:** Massive loss of reputational capital and institutional trust. The agency is under pressure to cede operational control of the NVD to CISA.
- **CISA:** Now positioned as the de facto leader in vulnerability enrichment through its "Vulnrichment" program, potentially gaining more federal funding and oversight.
### For Competitors (Private Sector Data Providers)
- **Increased Demand:** Commercial vulnerability intelligence feeds (e.g., Recorded Future, Mandiant, Snyk) are seeing a surge in value as NVD data becomes unreliable.
- **Market Opportunity:** Companies that provide high-fidelity, proprietary vulnerability scoring can now capture market share from those who previously relied solely on free government data.
### For Customers (End-User Organizations)
- **Risk Exposure:** Security teams relying on NVD for patching prioritization are working with incomplete datasets, leaving critical flaws unpatched.
- **Increased Costs:** Businesses may be forced to purchase premium threat intelligence feeds to fill the gap left by the NVD’s failure.
### For the Market
- **Erosion of Standards:** As the central hub (NVD) fails, the market may fragment into silos of different vulnerability scoring methodologies, making cross-industry communication more difficult.
## Technical Implications
- **Scoring Redundancy:** The report highlights that NIST’s hands-on CVSS (Common Vulnerability Scoring System) assignment adds little value, as industry-provided scores are usually sufficient.
- **Data Inaccuracy:** The low match rate (12%) between NIST and independent assessors suggests that the agency’s technical evaluation process may be out of step with real-world exploitation trends.
## Strategic Analysis
- **Market Positioning:** NIST has moved from being a primary authority to a bottleneck in the national security chain.
- **Competitive Advantage:** CISA’s "Vulnrichment" represents a more agile, modern approach to threat data compared to NIST's legacy operational model.
- **Challenges:** The primary obstacle is the civil-service bureaucracy preventing a clean handoff of responsibilities from NIST to CISA.
## Industry Reactions
- **Analyst Opinions:** Michael Daniel (Cyber Threat Alliance) has explicitly called for NIST to cede responsibility for the NVD to CISA, reflecting a growing consensus that NIST is an academic body ill-equipped for 24/7 operations.
- **Expert Commentary:** Cybersecurity professionals expressed frustration in an open letter to Congress, citing a "lack of transparent communication" regarding the database's regression.
## Future Outlook
- **Potential Consolidation:** Expect legislative or executive moves to officially consolidate vulnerability management under CISA.
- **Automation Shift:** NIST has agreed to reduce its manual scoring efforts, likely leading to more automated ingestion of vendor-supplied data.
- **Ongoing Backlog:** Given NIST's historical processing limits, the 27,000+ backlog is unlikely to be cleared before 2027 without a total overhaul of the program.
## For Security Professionals
Practitioners should immediately audit their Vulnerability Management (VM) workflows. If your tools rely exclusively on NVD/CPE data for scanning and prioritization, you are likely missing over 25,000 vulnerabilities from the last two years. Transitioning to hybrid models that incorporate CISA’s Vulnrichment feeds and commercial threat intelligence is now a business necessity rather than an optional upgrade.