NIST’s National Vulnerability Database needs some help to continue working

NIST’s National Vulnerability Database needs some help to continue working

NIST’s National Vulnerability Database needs some help to continue working

https://federalnewsnetwork.com/cybersecurity/2026/07/nists-national-vulnerability-database-has-largely-been-a-helpful-resource-but-needs-some-help-to-continue-that/

Publish Date: 2026-07-08 12:56:00

Source Domain: federalnewsnetwork.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. Chuck Mitchell The National Vulnerability Database is a critical piece of the nation’s cybersecurity infrastructure. It’s used by NIST to capture publicly reported vulnerabilities that they then add some important data to, to make available to defenders so that they can take action when vulnerabilities are identified and then they can do the fixes that they need to in their own systems. It gets about 300,000 hits a day and is available worldwide really.
Eric White And it’s filled with folks that are on the front lines that are sending it to NIST, or does NIST also go out and look for these vulnerabilities itself as well?]]>

Chuck Mitchell Yeah, really they’re a downstream user of this, all the vulnerability ecosystem. So there’s this other database called the CVE database that is managed by MITRE and the Department of Homeland Security. NIST gets a copy of that. They download it approximately hourly and then that’s where they start. That’s kind of their starting point.
Eric White Gotcha. Okay. And then with that national vulnerability database, this is sort of a be on the lookout for those that are the defenders. Without getting too, too technical in the cybersecurity front, what does that look like? I mean, is that, you know, a certain program that they should be analyzing? Or is it a certain method of hackers trying to infiltrate? What do they see when they look at the NVD itself?
Chuck Mitchell Yeah, there’s really two primary ways that users interact with it. First is a public web page. So you can go there and you can say, I have this piece of software, tell me all the vulnerabilities that exist there. And then the other way is really for machines to talk to other machines. So an application can go out, download all of the vulnerabilities and then it can use that information to search throughout the defender’s environment to identify anything that would be vulnerable to that.
Eric White Okay, using that, that helps them secure up their product and their networks and everything else of that nature or what are they using it for exactly then?
Chuck Mitchell Yeah, exactly. So one of the key pieces of information that NIST adds to vulnerabilities is a way to tie a piece of software to the vulnerable version. So let’s say you’ve got a version of Windows and you wanna know, is this specific version vulnerable? And if so, to what? That allows them to make that tie and then they can take action on those specific pieces of software.
Eric White Okay, so this is an important piece of material here that NIST has its hand on. And you all wanted to take a look at how it is managing that. First off, what sparked this investigation itself, and then we can kind of get into how and what you found.
Chuck Mitchell Yeah, so back in 2024, a backlog started to develop. So as I mentioned, NIST gets public vulnerability reports and adds critical information to that. They were falling behind in that processing. And so this backlog was growing. About a year later, the backlog still existed and we wanted to know what was going on, why had it grown in that amount of time, and what was NIST gonna do to get out of that? We also wanted to what were they gonna do to make sure that it didn’t happen again once they were out of it? And so we decided to spin up this evaluation to see and really dig down in to understand the fundamentals of how they manage this.]]>

Eric White All right. And you just made this easy by me being able to repeat all the questions you just asked yourself. What was it that you found in trying to answer those questions?
Chuck Mitchell Yeah, so the most important thing that we found was really that this backlog was gonna exist forever unless NIST made some significant changes. They really weren’t able to keep up with the substantial growth that had happened in vulnerability reports. And at the same time, they were missing deadlines that they were setting for themselves on how to resolve this. And so really from the beginning in 2024 all the way through the end of our evaluation in 2026, the backlog had grown from zero all the up to about 27,000. And it was still growing by the time we finished our work.
Eric White And when you say the backlog, you mean reported vulnerabilities that just hadn’t been confirmed yet or hadn’t added to the list? What do you mean when you see a backlog?
Chuck Mitchell Yeah, exactly. So NIST gets the report and think of it as kind of raw data. And what they do is they go and they look at each one of those, they add four pieces of critical information, and then once that’s added, they publish it out for people to use. So until that actually happens, until they can go in and take a look at that and publish it, it’s just kind of sitting in a queue and there isn’t a lot of visibility and people can’t use it for what they’re trying to do on the defender side.
Eric White We’re speaking with Chuck Mitchell. He’s the director for cybersecurity audits and evaluations at the Department of Commerce Office of Inspector General. And how did they, the folks that you spoke with and your own findings, what is the reason for this backlog occurring what was the main thing was it workforce related money related? What were you all thinking?
Chuck Mitchell Well, the thing that really kicked off a lot of the backlog, the early on stuff from early 2024 was, they had a contractor that does most of the work for this. So there’s a bunch of analysts in this contract. It expired and they didn’t quickly enough re-award it to a new awardee so that they could pick up the work and that there wasn’t a break in service there. So that’s what started the backlog. At that point, once they had the new contract awarded, the contractor came in, started working through all these vulnerabilities, but there just really wasn’t enough resources available to make this happen in a short amount of time. And ultimately, because the processes were inefficient, which is one of the other things that we found, they just continuously fell behind there.
Eric White And let’s talk about this from the other side, the folks that are actually giving this information to NIST. I imagine there was some frustration when they’re trying to say, hey, this vulnerability is there, will you please get it out into the world, let everyone else know?
Chuck Mitchell Yeah, and that’s another one of the things that kind of sparked our evaluation here was there was an open letter published, about 50 people in the industry to both NIST and Congress that said, hey, there’s this important thing over here that NIST does. They have a backlog. It’s not getting better. We need some communication on what’s going on here. We need to use this for our systems, and this is causing us problems. So we need more information from you about why, what’s going on here, when’s it going to be resolved, and when can we reestablish that trust in the national vulnerability database.
Eric White And I’m curious, going back to the start of the use of this program, is it a victim of its own success, kind of like the cash for clunkers program, where it was never intended to be used this widely, or they didn’t think that this many people would be submitting so much information all the time? Or did they know that this was coming in and this is just a simple drop of the ball of not having enough resources behind it.]]>

Chuck Mitchell Well, it’s been kind of growing organically since way back in the late ’90s. So in one form or another, it started in like 1999, then became more formal in the early 2000s and has since grown. One of the things that’s interesting about this program is NIST doesn’t really control the other side of it, meaning they don’t know what vulnerabilities are gonna be reported. So any vulnerability out there that gets reported, they’re kind of on the hook to do this data gathering and adding to each vulnerability report. So unfortunately, as that grows and as people get better at finding this stuff and reporting it out to the public, NIST now has to go in and take action.
Eric White Alright, so let’s get into recommendations here. What else can this do here to improve efficiency and get that backlog down?
Chuck Mitchell Yeah, one of the things I mentioned is that they’re part of this whole vulnerability ecosystem. And so one of things we recommended to them was create a strategic plan, recognize where NIST fits in in this overall ecosystem, and then play to the strengths of that particular aspect of it. So that’s the first one. The second one we wanted to see was create a real backlog management plan that is achievable that you can communicate out to people of when this will be resolved and how it’ll be resolved. And then finally, as I mentioned, there was kind of this situation where people were looking at this like, hey, this is critical. We wanna know information about what’s going on when this is gonna happen. And so we recommended that they make a good communication strategy to get that information out to be more communicative to the people that are actually using this day to day.
Eric White And I can’t imagine there is much disagreement from them since all of those things sound like it would just make the job easier down the road anyway.
Chuck Mitchell No, and they agreed with all of those recommendations. And in a lot of cases, they actually, before our final report even came out, they had announced that they were making some changes.
Eric White Gotcha. Okay. And let’s just talk today. This report came out a couple of months ago. Are you already starting to see any improvement? Is it too early to call? And are you going keep on a tally of how big the backlog gets in the future?
Chuck Mitchell Yeah, we are kind of keeping an eye on it in the background. One of the things that NIST is required to give us 60 days after the final report is a corrective action plan. So we’re awaiting to see that of like what they’re formally gonna do here. As I mentioned, they’ve already taken some action and so we’ve been keeping an eyes on that. And it does look like it is having an effect. Unfortunately, they didn’t resolve the backlog per se. They rather just deferred it and said, we’re not gonna do that. We’re gonna use this other process where we have a prioritization method in place to take action on the things that are really important that are gonna be affecting defenders. And so rather than waste our time on doing everything, we’re gonna look at the really critical stuff and get those done now.Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.