The federal database that security teams worldwide consult to decide which software flaws to patch first produces severity scores that are wrong nearly 88% of the time — and the government watchdog that confirmed it says the National Institute of Standards and Technology has no sustainable plan to fix the problem.
The Department of Commerce Office of Inspector General published report OIG-26-020-I on May 26, 2026, finding that NIST has mismanaged its National Vulnerability Database so severely that the tool can no longer be considered reliable. The unprocessed vulnerability backlog grew from roughly 13,000 entries in June 2024 to more than 27,000 by the end of 2025 — a figure the report said is "undermining the NVD's utility and public trust."
For the security operations teams, vulnerability management platforms, and automated scanners that consume NVD data daily to prioritize patching, that inaccuracy rate is not a statistic. It is an operational liability. In the 30 days leading up to April 7, 2026, NIST reported that the NVD had approximately 300,000 unique users downloading an average of 22 terabytes of data every day. Every automated tool consuming that data has been relying on severity scores that independent evaluators could not reproduce nearly 90% of the time.
NIST Promised Fixes It Had No Plan to Deliver
The crisis took root in February 2024, when NIST's NVD enrichment contract lapsed after the agency had two years of warning it needed a replacement. The agency failed to have a new contractor in place until May 2024, leaving the database without a fully trained analyst team until November 2024. CISA, which had provided nearly $3.8 million annually to support the NVD, did not renew its financial support in fiscal year 2024, compounding the shortfall.
In May 2024, NIST awarded a new contract to Maryland-based Analygence and publicly pledged to clear the entire backlog by September 2024, setting a processing target of roughly 6,200 vulnerabilities per month. The IG report found that NIST had never once processed more than 5,000 vulnerabilities in any single month. NIST had no internal plan for how it would reach its own target.
"NIST does not have sustainable processes to manage NVD submissions and will be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes," the report concluded.
By the end of 2025, the backlog had more than doubled from its June 2024 baseline. NIST had missed its self-imposed September deadline and, as of late 2025, had not publicly announced a new target date. The IG found that NIST's online dashboard also displayed inaccurate backlog statistics for at least four months between March and July 2025.
Severity Scores Accurate Just 12% of Time
The most operationally damaging finding in the report concerns NIST's severity scoring. To test consistency, OIG cybersecurity specialists independently scored a random sample of 72 vulnerabilities using NIST's standard methodology. Evaluators produced identical scoring results on only 8 of the 69 successfully analyzed vulnerabilities — a match rate of 12%.
The report drew a direct connection to workload: 80% of vulnerability submissions already arrive with severity scores from the submitting organization, making NIST's independent re-scoring largely redundant. The IG estimated that if NIST reduced its severity-scoring work, the agency could redirect approximately $800,000 over the next two years toward clearing the backlog.
NIST pushed back in its formal response, arguing that independent scoring was a statutory obligation and that NVD analysts provide value through verification. The IG acknowledged the mandate for open-source software but maintained that it does not require NIST to re-score every vulnerability independently — particularly when the agency's scores are inconsistent with independent evaluators nearly 9 times out of 10.
How Security Teams Should Respond Now
For organizations that depend on NVD-driven automation — including patch management platforms, SIEM correlation rules, and third-party risk scoring tools — the IG's findings have immediate implications. A 12% consistency rate means the risk classification underpinning automated remediation decisions is effectively unreliable for any vulnerability where NIST's score is the sole input.
Security teams should take three concrete actions now:
Supplement NVD data with CISA's Vulnrichment program, which produces Stakeholder-Specific Vulnerability Categorization data and has been adding enrichment since May 2024. CISA's Known Exploited Vulnerabilities catalog is a more reliable signal for immediate prioritization than CVSS severity scores alone. Vendor-issued advisories and information-sharing centers provide context that NVD data currently cannot.
Audit single-source dependencies. Any vulnerability management workflow that relies exclusively on NVD data for scoring and prioritization should be reviewed. The backlog means that more than 27,000 CVEs currently have no NVD enrichment at all, while the scored entries may reflect the 88% inaccuracy rate.
Monitor NIST's remediation timeline. NIST must submit an action plan addressing all six IG recommendations by July 31, 2026. If that plan does not include a credible backlog clearance target and a specific commitment to CISA coordination, the NVD's operational status should be treated as unresolved.
$200,000 Wasted on Work Already Done
The dysfunction extended beyond NIST's internal failures. When CISA launched Vulnrichment in May 2024 specifically to fill the gap created by the NVD backlog, the two agencies failed to coordinate their work. NIST declined to respond to a CISA invitation to collaborate at the program's launch. Once NIST rehired its analysts, they continued processing vulnerabilities that CISA had already enriched. At one point, both agencies hired the same contractor to perform identical work.
The IG identified at least 21,000 instances of duplicated enrichment between May 2024 and December 2025. Using NIST's own contract rates, the report calculated that the duplication wasted approximately $200,000 in taxpayer funds — a figure the report categorized as unallowable or unreasonable cost.
The coordination failure had a secondary consequence: CISA stopped creating Common Platform Enumeration applicability statements in December 2024, citing how labor-intensive they were. NIST is now the sole federal government provider of this data — a role made more precarious by the agency's own resource constraints.
Who Should Take Over the NVD
The most structurally significant argument in the post-report debate does not appear in the IG's text. Michael Daniel, president and CEO of the Cyber Threat Alliance and former White House cybersecurity coordinator under President Obama, called publicly for NIST to transfer full operational responsibility for the NVD to CISA.
"Running a long-term, ongoing operational program like the NVD falls more properly in CISA's mission," Daniel said. "NIST has significant resource shortfalls."
The argument reflects a genuine structural tension. NIST is a standards and measurement agency — its core competency is defining frameworks and methodologies. Operating a live, continuously updated vulnerability database that interfaces with global threat intelligence pipelines is an operational function, and CISA was built for exactly that kind of mission.
NIST Acting Director Craig Burkhardt's April 23, 2026 response to the IG report concurred with all six recommendations and pledged to begin remediation immediately. The agency's own April 2026 operational update — which NIST acknowledged was prompted in part by the draft IG findings — announced a significant triage shift: beginning April 15, 2026, the NVD would only enrich CVEs appearing in CISA's Known Exploited Vulnerabilities catalog, software used by the federal government, and software classified as critical under Executive Order 14028. All other CVEs, including the entire existing backlog predating March 1, 2026, would be categorized as "Not Scheduled" for enrichment.
That policy change effectively moves the accountability question into sharper relief. If NIST is no longer attempting to enrich the majority of CVEs, and CISA is running a parallel program to cover what NIST is not doing, the practical case for maintaining two federal agencies doing overlapping vulnerability enrichment work becomes increasingly difficult to defend.
What the Letter They Never Answered Said
NIST's communication failures compounded every other problem. On April 12, 2024, more than 50 cybersecurity professionals sent an open letter to Congress and the Secretary of Commerce urging investigation into "the lack of transparent communication from NIST regarding regression in NVD operations." Neither NIST nor the Department of Commerce responded.
The IG surveyed letter signatories as part of the evaluation. Ninety percent reported dissatisfaction with the frequency of NIST's backlog updates. Three-quarters said they had reduced their reliance on the NVD for vulnerability management. Despite this, 80% agreed that the NVD still offers unique enrichment value — a finding that underlines what is at stake if NIST cannot execute a credible recovery.
The CVE ecosystem that the NVD underpins has faced compounding stress. A separate, related program — the Common Vulnerabilities and Exposures list maintained by MITRE on behalf of CISA — narrowly averted shutdown in April 2025 when a last-minute contract extension prevented a gap in service. In response, several European nonprofits and other private entities launched competing vulnerability databases. The IG report projects that total vulnerability submissions in 2026 will surpass 60,000 — a nearly tenfold increase from a decade ago.
NIST's plan to address all six IG recommendations is due by July 31, 2026. Whether the agency can demonstrate a credible path to sustainability — or whether policymakers will treat the IG's findings as evidence that the NVD's future belongs at CISA — will become clearer as that deadline approaches.
Frequently Asked Questions
Are the NVD's severity scores reliable for patch prioritization?
According to the May 2026 IG report, NIST's CVSS severity scores matched those of independent evaluators only 12% of the time, meaning the scores are inconsistent rather than systematically wrong in a single direction. Security teams should use NVD severity scores as one input among several, not as a standalone signal, and supplement them with CISA's Known Exploited Vulnerabilities catalog and vendor advisories.
What is CISA Vulnrichment and how does it differ from the NVD?
CISA launched Vulnrichment in May 2024 as a parallel vulnerability enrichment program after the NVD's backlog began growing. While the NVD provides CVSS severity scores and Common Platform Enumeration applicability statements, CISA's Vulnrichment focuses on Stakeholder-Specific Vulnerability Categorization — a decision-tree model for prioritizing vulnerabilities based on exploitability, technical impact, and automatability. The two programs overlapped significantly until CISA stopped producing CPE applicability statements in December 2024.
How many CVEs are currently unprocessed in the NVD backlog?
As of the end of 2025, more than 27,000 vulnerabilities remained unprocessed in the NVD — more than double the roughly 13,000 that were in the backlog when the crisis began in June 2024. NIST's April 2026 operational update moved all backlogged CVEs with a publication date before March 1, 2026, into a "Not Scheduled" category, meaning they will not be automatically enriched.
Should organizations stop relying on the NVD entirely?
No, but relying on it as a single source is no longer sufficient. The NVD remains the most comprehensive publicly available repository of vulnerability identifiers and structured CVE data. Organizations should combine NVD data with CISA's Vulnrichment feeds, the Known Exploited Vulnerabilities catalog, vendor security advisories, and commercial threat intelligence to build a multi-source vulnerability intelligence pipeline.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
