Inspector General: NIST's NVD Is Failing Security Teams

For two decades the National Vulnerability Database has been the single most important reference for "how bad is this CVE." Every patch prioritization tool, every vulnerability scanner output, every security team triage meeting routes through NVD data. The inspector general's findings are an indictment of a critical piece of national security infrastructure that has been quietly falling apart for years.

Key Takeaways

• The Commerce Department inspector general report, released June 1, 2026, documents a 27,000+ CVE backlog at the National Vulnerability Database as of the end of 2025, up from 13,000 in February 2024.
• NIST publicly pledged to clear the backlog by September 2024 with a goal of 6,200 CVEs processed per month — but never exceeded 5,000 in any single month.
• NIST stopped paying its analysis contractors in February 2024, deepening the processing collapse instead of recovering from it.
• NIST severity scores matched independent assessors only 12% of the time, even though 80% of submitted CVEs already carried a vendor provided score.
• NIST and CISA duplicated work on at least 21,000 CVEs between May 2024 and December 2025 — wasting roughly $200,000 by hiring the same contractors to do the same triage in parallel.

How Big Is the NVD Backlog?

In February 2024, the unprocessed pile at NVD held 13,000 CVEs. By the end of 2025, the same pile held more than 27,000. The number more than doubled in 22 months. NIST's stated processing capacity has never exceeded 5,000 CVEs per month, and the agency's own goal of 6,200 per month by September 2024 was missed by every measure that matters.

An unprocessed CVE in NVD is not just a paperwork problem. Without NVD enrichment, a CVE has no CPE mapping (which products are affected), no CVSS severity score from NIST, and often no normalized description that downstream scanners can match. Every vulnerability management tool that pulls from NVD silently loses fidelity on those records. A 27,000 CVE blind spot is what the inspector general's report is describing.

Why Did NIST Stop Paying Its Contractors?

The report says NIST stopped paying its CVE analysis contractors in February 2024. The agency has not given a clean public explanation, but the timing — at the exact moment the backlog began its rapid climb — is unambiguous. The processing capacity collapsed because the people doing the processing stopped getting paid.

That decision is what flipped NVD from "occasionally behind" to "structurally failing." In April 2024, 50 cybersecurity professionals signed an open letter to Congress and the Commerce Secretary asking what was happening. NIST never responded to that letter. The inspector general report calls out the silence directly under the heading of "poor stakeholder communication."

What About the 12% Severity Score Disagreement?

This is the finding that most directly affects defenders. NIST produces a CVSS base score for each enriched CVE — that score is what most vulnerability scanners surface to security teams. The inspector general's audit found that NIST's score matched the score from independent assessors only 12% of the time. Eighty percent of CVEs submitted to NIST already arrive with a vendor produced score the agency could simply pass through.

The recommendation is blunt: reduce NIST's own scoring work. The inspector general projects $800,000 in savings over two years if NIST stops re scoring the 80% of CVEs that arrive pre scored. The harder reading is that the scoring NIST does add was not adding accuracy — it was adding disagreement.

How Did NIST and CISA End Up Doing the Same Work Twice?

Between May 2024 and December 2025, NIST and CISA duplicated CVE enrichment work on at least 21,000 records. The report says they even hired identical contractors to do that duplicated work, wasting roughly $200,000 in the process. Two federal agencies with overlapping mandates produced two parallel pipelines for the same data — without coordination, without a shared queue, and without anyone in the chain stopping to ask why.

The fix proposed by the inspector general is the obvious one: coordinate. CISA already runs its own enrichment pipeline that feeds into the Known Exploited Vulnerabilities catalog and other tooling. NIST and CISA could publish a single canonical source of CVE enrichment and split the work. They have not, and the cost is now in the public record. For context on how the KEV process itself is opening up to outside researchers, see our coverage of CISA's new KEV nomination form.

What Should Security Teams Do With This?

The short answer is: stop treating NVD as authoritative for fresh CVEs. The longer answer:

1. Cross reference any high severity CVE with the vendor's own advisory rather than waiting for NVD enrichment.
2. Pull from CISA's KEV catalog for the "is this being exploited right now" signal — that pipeline is functional in a way NVD is not.
3. Use one of the alternative enrichment feeds (GitHub Security Advisories, vendor RSS, third party services) for CPE mapping until NIST publishes a credible recovery plan.
4. For internal patch prioritization, weight vendor scores and CISA exploitation status above NVD CVSS until the backlog is back under control.

The Verizon 2026 DBIR already reported that 31% of breaches now begin with an exploited vulnerability, up from 20% the year before. A vulnerability database that cannot keep up with disclosure is exactly the wrong infrastructure to depend on while that number climbs. The inspector general's report is the first public confirmation that the system is breaking under the load — and the recommendations only land if NIST acts on them.