[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPABWxqgwsD4QIogApsKwcn60S3-ObHaek6YLbYM9nIw":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"5023f70d-465c-4919-8adc-22544a5c10d1","Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog","federal-audit-finds-nist-wasted-funds-with-no-plan-to-clear-nvd-backlog-6a979b","A newly released federal audit now documents NIST’s long-running NVD backlog, with findings that are hard to square with two years of public assurances that the database was being brought back under control. The U.S. Department of Commerce Office of Inspector General found that NIST had no strategic plan for the National Vulnerability Database, set a public deadline it did not have the capacity to meet, delayed use of CISA enrichment data, and spent taxpayer funds on duplicated vulnerability enrichment work while the backlog continued to grow. The report says NIST “does not have sustainable processes to manage NVD submissions” and “will be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes.” The audit covered NVD management from October 2023 through December 2025, drawing on contracts, enrichment policies, team notes, analysis reports, the CISA-NIST interagency agreement, and interviews with NIST leadership, stakeholders, and cybersecurity leaders. The report lands six weeks after NIST formally narrowed the NVD’s enrichment scope, moving to a risk-based model that leaves most CVEs outside routine analysis. Under that model, the NVD prioritizes vulnerabilities in CISA’s Known Exploited Vulnerabilities catalog, software used by the federal government, and software designated as critical under Executive Order 14028. Everything else can be moved into “Not Scheduled,” a status that leaves many records without the CVSS, CWE, and CPE data needed to make them useful in automated vulnerability management workflows. The OIG report shows how NIST arrived there. The audit traces the backlog to a February 2024 contract lapse, then follows NIST’s missed September 2024 deadline, its delayed use of CISA enrichment data, and the continued growth of unprocessed vulnerabilities through the end of 2025. A Two-Year Timeline of NVD Backlog Promises, Delays, and Relabeling # The audit confirms a pattern Socket has reported on repeatedly since the NVD slowdown became visible in early 2024: March 2024: NVD Halts CVE Enrichment - NVD stops enriching CVEs with little explanation, leaving the security community without metadata on most new records. April 2024: NVD Remains Stalled on Enriching CVE’s, Security Industry Criticizes NIST’s Consortium Plan - NIST’s opaque consortium proposal and the backlash from security professionals. May 2024: The Alarming NVD Backlog: Over 50% of Known Exploited Vulnerabilities Await Analysis - 12,500+ CVEs were awaiting analysis and that more than half of KEVs added since mid-February had not been enriched. June 2024: NIST Announces Major Contract to Clear NVD Backlog by September - NIST’s promise to clear the backlog by the end of the fiscal year after contracting additional support. August 2024: MITRE Marks Major Milestone, Minting 400 CNAs as NVD Backlog Grows - NVD backlog grew by roughly 30% since June 2024 as the number of CVE Numbering Authorities continued to increase. October 2024: NIST Misses 2024 Deadline to Clear NVD Backlog - NIST missed its self-imposed September deadline and CVEs awaiting analysis increased by 33%. November 2024: NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates - The backlog crossed 20,000 CVEs while NIST prepared system changes. March 2025: NVD Concedes Inability to Keep Pace with Surging CVE Disclosures in 2025 - NVD’s admission that its prior processing rate was no longer enough to keep up with CVE volume. April 2025: NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole - NVD moved more than 100,000 older CVEs into “Deferred,” further reducing expectations of enrichment. April 2025: VulnCon 2025: NVD Scraps Industry Consortium Plan, Raising Questions About CVE Processing - NVD’s abandonment of its consortium plan and its continued discussion of automation without firm timelines. May 2025: NIST Under Federal Audit for NVD Processing Backlog and Delays - Commerce OIG opened an audit into NIST’s backlog reduction strategy and measures to prevent future delays. April 2026: NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets - NIST moved to a risk-based enrichment model, formally abandoning the assumption that every CVE would receive routine enrichment. The federal audit now gives that timeline a fuller accounting, adding internal context through capacity estimates, contract details, coordination breakdowns, and stakeholder feedback that together document a cascade of failures. NIST Had No Strategic Plan for the NVD # One of the report’s most damaging findings is also one of its simplest: NIST did not have a strategic plan for the NVD when auditors asked for one. “NIST management informed us, however, that they did not have a strategic plan for the NVD,” OIG wrote. “The lack of a strategic plan likely contributed to NIST’s slow and inadequate response to the challenge posed by the backlog. That response included an unrealistic goal, a lack of prioritization given to the processing of critical vulnerabilities, and a delay in the use of alternative resources.” That finding cuts through two years of public messaging about clearing the backlog, improving NVD operations, adding support, changing workflows, and exploring automation. The federal auditors found that behind the public deadline was no strategic plan capable of making it happen. NIST had said it would clear the backlog by the end of September 2024. OIG found that NIST would have needed to process about 6,200 vulnerabilities per month to meet that goal. The agency had not processed more than 5,000 in any month, and even under a best-case staffing scenario, auditors estimated it could have processed about 5,300 per month. The result was the backlog grew from about 13,000 vulnerabilities at the start of June 2024 to more than 27,000 by the end of 2025. # The backlog did not only affect obscure CVEs or low-priority records. It reached vulnerabilities that CISA had already placed in the Known Exploited Vulnerabilities catalog, the federal government’s list of vulnerabilities known to be exploited in the wild. NIST officials told auditors they had a process to prioritize vulnerabilities receiving significant public attention, vulnerabilities affecting widely used products, and vulnerabilities listed in CISA KEV. OIG found that the process did not define what timely enrichment meant. Auditors reviewed 226 KEV vulnerabilities added between February 2024 and December 2025 that had not already been analyzed at the time they were added to KEV. Using one weekday as a reasonable benchmark, OIG found NVD enrichment was not timely for 34% of them. That finding cuts directly into NIST’s repeated claims that it was prioritizing the most important vulnerabilities while working through the backlog. KEV is the obvious place to test that claim. Even there, the audit found delays. NIST Was Slow to Use CISA’s Enrichment Data # CISA launched Vulnrichment in May 2024, creating its own federal enrichment program as NIST struggled with the lapsed contract and growing backlog. The two programs overlapped heavily. Both assigned severity scores using CVSS, categorized vulnerability causes using CWE, and added references. CISA also initially generated CPE applicability statements before stopping that work in December 2024. OIG found that NIST was slow to use CISA’s enrichment data even though it could have helped reduce the backlog. NIST officials told auditors the NVD system needed technical updates to attribute data to specific sources. Until that was done, NIST was unwilling to use CISA enrichment because it would have appeared as if an NVD analyst had performed the work. The result was a delay in using another federal source of vulnerability enrichment while the backlog kept growing, despite both federal agencies having access to the same public information. NIST and CISA Used the Same Contractor While Duplicating 21,000 Enrichment Activities # One of the report’s most egregious findings is the duplicated enrichment work. OIG found that NIST and CISA were operating two vulnerability enrichment programs with significant overlap. The programs were not coordinated, even though they were performing many of the same functions: Further, both programs used the same contractor and, in some cases, performed the same enrichment activities. We identified at least 21,000 instances from May 2024 through December 2025 when NIST and CISA duplicated enrichment activities. OIG estimated that NIST wasted approximately $200,000 on duplicate enrichment activities since CISA launched Vulnrichment in May 2024. That estimate only covers funds spent directly on duplicate enrichment work, not broader program overhead. OIG also estimated that NIST could put approximately $800,000 to better use over the next two years by minimizing its calculation of severity scores when another party has already provided one. The finding lands squarely in territory Brian Martin has been hammering for years. Martin, a vulnerability historian who has closely tracked NVD’s operational decline, has repeatedly questioned how the program could struggle so visibly with enrichment while operating on a multimillion-dollar budget. When NIST moved most CVEs outside routine enrichment, Martin commented that “The budget they have to do this work is disgusting” and argued that VulnDB had enriched more data per vulnerability “for a fraction of the cost.” In a post titled \"NVD Gives Up,\" Martin wrote that the NVD was “basically a fragile line that makes CVE data usable for many organizations” and said the database had “now thrown in the towel.” He also pointed to a still-unanswered FOIA request for NVD’s 2024 and 2025 budget, citing a 2019 request that found a budget of $6,066,924.85. “So what were they doing with all that money?” Martin said. “I would still like to know because that is our tax dollars not working for us and makes me beg the question if there is fraud or abuse at play, because there certainly is waste.” The OIG report does not allege fraud or abuse, but it does document waste. While the NVD backlog grew, NIST and CISA were paying for overlapping enrichment work, sometimes through the same contractor, without enough coordination to avoid duplicate effort. Manual Enrichment Remained the Bottleneck # OIG found that severity scoring and CPE applicability statements consumed an estimated 80% of NVD enrichment processing time, making them the clearest targets for improving throughput. NIST has traditionally assigned its own CVSS severity score as part of NVD enrichment, but auditors found that scoring depends heavily on available information and professional judgment. In OIG’s internal test, cybersecurity specialists produced the same CVSS vector string only eight times across 69 successfully analyzed vulnerabilities, or 12%. At the same time, nearly 80% of CVE Program participants were already including severity scores in vulnerability submissions as of August 2025, and CISA provided scores for submissions that did not include them. OIG estimated that NIST could put approximately $800,000 to better use over two years by minimizing redundant severity scoring. CPE applicability statements remain the harder bottleneck. These machine-readable product and version mappings are what allow security tools to match a CVE to affected software in an environment. OIG said the work is manual and time-consuming, especially when products are not already listed in the CPE dictionary. CISA stopped creating CPE applicability statements in December 2024, partly because of the time required. That left NIST as the only federal provider of this data while it was already unable to keep pace with CVE volume. Communication Failures Made the Backlog Worse # The audit also validates another long-running complaint from the security community: NIST’s communication around the backlog was poor. In April 2024, more than 50 cybersecurity professionals sent an open letter to Congress and the Secretary of Commerce urging an investigation into NIST’s lack of transparent communication around the NVD slowdown. OIG surveyed signers of that letter and found that frustration remained high. Ninety percent of respondents were dissatisfied with the frequency of NIST’s backlog updates, and 75% said they relied less on the NVD for vulnerability management since the backlog began. The report also found that from at least March 2025 to July 2025, the NVD dashboard did not present accurate data for two fields showing the status of vulnerabilities: “Undergoing Analysis” and “Received.” Auditors said the inaccurate dashboard made it harder for stakeholders to understand the size of the backlog. The OIG report puts that communication history into a broader management failure. NIST missed its public September 2024 target and had not announced a new target as of the end of 2025. By then, the last backlog update on NVD’s official communications page was more than nine months old. NIST Pushes Back on the Audit # NIST concurred with all six OIG recommendations, including calls to create a strategic plan, establish a backlog management plan, reduce unnecessary severity scoring, improve external contribution paths for CPE applicability data, coordinate with CISA, and develop a communication strategy. NIST’s response also pushed back on the draft report’s framing, arguing that OIG did not fully account for its statutory obligations around the NVD, severity scoring, and vulnerability disclosure guidance. OIG rejected that criticism in the final report, saying its findings were supported by documented facts on backlog causation, capacity, timeliness, duplication, and communication. The audit report closes with a full-page Commerce OIG hotline notice for reporting fraud, waste, abuse, or mismanagement.","A U.S. Commerce Department Office of Inspector General audit documents NIST's mismanagement of the National Vulnerability Database, finding no strategic plan, missed deadlines, duplicated enrichment work, and poor coordination with CISA. The audit reveals NIST wasted approximately $200,000 on duplicate enrichment activities and could recoup $800,000 over two years by eliminating redundant severity scoring, while the backlog grew from 13,000 to 27,000+ vulnerabilities between June 2024 and end of 2025.","Federal audit finds NIST wasted funds, lacks strategic plan to clear NVD backlog.","Research\u002FSecurity NewsMini Shai-Hulud Campaign Hits Red Hat Cloud Services npm PackagesA mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI\u002FCD secrets during installation.By Socket Research Team - Jun 01, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Ffederal-audit-finds-nist-wasted-funds-with-no-plan-to-clear-nvd-backlog?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fc17414c758f7da19292e1f4bba1720e05d1c2ea8-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-06-03T02:17:50.317+00:00","2026-06-03T22:00:26.078333+00:00",8,[18,21,23,26,28,31],{"name":19,"type":20},"NIST","vendor",{"name":22,"type":20},"CISA",{"name":24,"type":25},"National Vulnerability Database (NVD)","product",{"name":27,"type":25},"Vulnrichment",{"name":29,"type":30},"CVE","technology",{"name":32,"type":30},"CVSS","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":33,"icon":35,"name":36,"slug":37},null,"Policy","policy",[39,43],{"category":40},{"id":41,"icon":35,"name":19,"slug":42},"217d3263-c763-41ca-875e-06901f522fe0","nist",{"category":44},{"id":45,"icon":35,"name":46,"slug":47},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",[]]