The National Vulnerability Database’s backlog of unprocessed flaws swelled from about 13,000 in June 2024 to more than 27,000 by the end of 2025, a federal audit found — a doubling that officials acknowledged they had no long‑term plan to address.
Backlog growth, missed targets, and a lapsed contract
The Department of Commerce inspector general’s report lays out a chain of operational problems that began in February 2024, when the NVD’s enrichment contract lapsed and created an initial backlog of unprocessed security flaws. In May 2024, NIST publicly promised to clear the backlog by September 2024 and set a processing goal of 6,200 security flaws per month. The inspector general notes that NIST had never processed more than 5,000 per month historically, and by the end of 2025 the backlog had climbed to over 27,000.
Inefficiencies in enrichment work: scores and product identification
The audit identifies two enrichment tasks as the chief drains on analyst time. NIST analysts spend roughly 80% of their time calculating severity scores and identifying affected products. The inspector general tested NIST’s severity scores and found they matched independent evaluators only 12% of the time. At the same time, nearly 80% of vulnerability submissions already include severity scores from the submitting companies, meaning NIST frequently duplicates work that submissions already provide.
The report recommends scaling back the agency’s severity‑score calculations over the next two years, estimating this change would free about $800,000 that could be redirected to other program areas. The audit also calls out the manual process for creating standardized product identifiers as a major bottleneck; NIST is developing tools to accelerate that work but the report states the manual process continues to slow backlog clearance.
Duplication with CISA’s Vulnrichment and related programs
The inspector general chronicles at least 21,000 instances of duplicated work between NIST and the Cybersecurity and Infrastructure Security Agency from May 2024, when CISA launched its Vulnrichment program, through December 2025. According to the report, the agencies did not coordinate, which led to NIST analysts sometimes repeating analyses already completed by CISA — and, in some cases, both agencies hired the same contractor for portions of the same work. The audit estimates these duplicated efforts wasted approximately $200,000.
The report places this duplication in the context of other federal vulnerability programs. It notes that the Common Vulnerabilities and Exposures (CVE) list, run by CISA, narrowly escaped a shutdown in April 2025 when a last‑minute, 11‑month contract extension averted a lapse. Since then, the audit says, several competing databases from European nonprofits and private entities have been established to coordinate tracking and disclosure of vulnerabilities.
Communication failures and narrowed NVD priorities
Communication problems compounded the operational failures. In April 2024, more than 50 cybersecurity professionals wrote an open letter to Congress complaining NIST was not being transparent about NVD problems; the inspector general reports that neither NIST nor the Department of Commerce responded to that letter. Earlier this year, NIST announced it had narrowed NVD priorities to focus only on vulnerabilities in CISA’s Known Exploited Vulnerability (KEV) catalog, software used by the federal government, and critical software identified under Executive Order 14028.
The inspector general recommended that NIST develop a plan to communicate better with users of the database; NIST “agreed with all six recommendations and said it is working on them,” the audit states. The agency must submit a plan showing how it will address these problems by late July.
What this means for technologists, policymakers, and federal IT buyers
- Technologists and security teams: The NVD’s narrowed priorities (KEV, federal software, EO 14028 critical software) and the backlog mean teams that depended on NVD enrichment for prioritization may need to supplement with other databases, including the newer European nonprofit and private alternatives noted in the report.
- Policymakers and agency managers: The audit points to concrete coordination failures with CISA — including duplicated contractor work and at least 21,000 repeat cases — that policymakers must reconcile if federal vulnerability programs are to avoid further waste.
- Federal IT buyers and procurement leaders: The lapsed enrichment contract, the historical ceiling of roughly 5,000 processed items per month, and the agency’s promise to submit a remediation plan by late July are immediate factors procurement teams will watch as they plan contract timelines and staffing.
The inspector general’s recommendations are specific — a long‑term plan, a backlog‑clearing plan with measurable goals, reduced severities work, eased outside participation on product identification, immediate coordination with CISA to stop duplicating work, and a user communications plan — and NIST has agreed to all six. The near‑term deadline is clear: a written plan must be submitted by late July. Whether that plan will translate into sustained operational change and reduce a backlog that doubled in 18 months is now the concrete next step the audit leaves on the table.




