US government report slams NIST for NVD backlog
Summary
A US Commerce Department report criticizes NIST (National Institute of Standards and Technology) for a growing backlog of unprocessed vulnerabilities in the NVD (National Vulnerability Database, a catalog of known security flaws). The backlog has worsened due to budget cuts, increased vulnerability discoveries from AI tools, and inefficient coordination between NIST and CISA (Cybersecurity and Infrastructure Security Agency), including duplicated work and failure to share data despite having access to the same public information.
Solution / Mitigation
The report states that 'NIST must improve the efficiency of enrichment processes to ensure sustainability' and notes that 'before system updates and subsequent process changes were completed in March 2025, NIST refused to use CISA's data.' The source indicates technical updates to the NVD system were needed 'to incorporate CISA's enrichment data because the system lacked the capability to attribute data to specific sources,' and these updates were completed in March 2025, allowing NIST to leverage CISA's data to expedite backlog reduction.
Classification
Original source: https://www.csoonline.com/article/4181438/us-government-report-slams-nist-for-nvd-backlog.html
First tracked: June 5, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 75%