{"id":241398,"date":"2026-07-08T12:56:00","date_gmt":"2026-07-08T16:56:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/08\/nists-national-vulnerability-database-needs-some-help-to-continue-working\/"},"modified":"2026-07-08T13:00:09","modified_gmt":"2026-07-08T17:00:09","slug":"nists-national-vulnerability-database-needs-some-help-to-continue-working","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/08\/nists-national-vulnerability-database-needs-some-help-to-continue-working\/","title":{"rendered":"NIST\u2019s National Vulnerability Database needs some help to continue working"},"content":{"rendered":"<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/nists-national-vulnerability-database-has-largely-been-a-helpful-resource-but-needs-some-help-to-continue-that\/\">NIST\u2019s National Vulnerability Database needs some help to continue working<\/a><\/p>\n<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/nists-national-vulnerability-database-has-largely-been-a-helpful-resource-but-needs-some-help-to-continue-that\/\">https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/nists-national-vulnerability-database-has-largely-been-a-helpful-resource-but-needs-some-help-to-continue-that\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-08 12:56:00<\/a><\/p>\n<p>Source Domain: <a href=\"federalnewsnetwork.com\">federalnewsnetwork.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. Chuck Mitchell The National Vulnerability Database is a critical piece of the nation\u2019s cybersecurity infrastructure. It\u2019s used by NIST to capture publicly reported vulnerabilities that they then add some important data to, to make available to defenders so that they can take action when vulnerabilities are identified and then they can do the fixes that they need to in their own systems. It gets about 300,000 hits a day and is available worldwide really.<br \/>\nEric White And it\u2019s filled with folks that are on the front lines that are sending it to NIST, or does NIST also go out and look for these vulnerabilities itself as well?]]><\/p>\n<p>Chuck Mitchell Yeah, really they\u2019re a downstream user of this, all the vulnerability ecosystem. So there\u2019s this other database called the CVE database that is managed by MITRE and the Department of Homeland Security. NIST gets a copy of that. They download it approximately hourly and then that\u2019s where they start. That\u2019s kind of their starting point.<br \/>\nEric White Gotcha. Okay. And then with that national vulnerability database, this is sort of a be on the lookout for those that are the defenders. Without getting too, too technical in the cybersecurity front, what does that look like? I mean, is that, you know, a certain program that they should be analyzing? Or is it a certain method of hackers trying to infiltrate? What do they see when they look at the NVD itself?<br \/>\nChuck Mitchell Yeah, there\u2019s really two primary ways that users interact with it. First is a public web page. So you can go there and you can say, I have this piece of software, tell me all the vulnerabilities that exist there. And then the other way is really for machines to talk to other machines. So an application can go out, download all of the vulnerabilities and then it can use that information to search throughout the defender\u2019s environment to identify anything that would be vulnerable to that.<br \/>\nEric White Okay, using that, that helps them secure up their product and their networks and everything else of that nature or what are they using it for exactly then?<br \/>\nChuck Mitchell Yeah, exactly. So one of the key pieces of information that NIST adds to vulnerabilities is a way to tie a piece of software to the vulnerable version. So let\u2019s say you\u2019ve got a version of Windows and you wanna know, is this specific version vulnerable? And if so, to what? That allows them to make that tie and then they can take action on those specific pieces of software.<br \/>\nEric White Okay, so this is an important piece of material here that NIST has its hand on. And you all wanted to take a look at how it is managing that. First off, what sparked this investigation itself, and then we can kind of get into how and what you found.<br \/>\nChuck Mitchell Yeah, so back in 2024, a backlog started to develop. So as I mentioned, NIST gets public vulnerability reports and adds critical information to that. They were falling behind in that processing. And so this backlog was growing. About a year later, the backlog still existed and we wanted to know what was going on, why had it grown in that amount of time, and what was NIST gonna do to get out of that? We also wanted to what were they gonna do to make sure that it didn\u2019t happen again once they were out of it? And so we decided to spin up this evaluation to see and really dig down in to understand the fundamentals of how they manage this.]]><\/p>\n<p>Eric White All right. And you just made this easy by me being able to repeat all the questions you just asked yourself. What was it that you found in trying to answer those questions?<br \/>\nChuck Mitchell Yeah, so the most important thing that we found was really that this backlog was gonna exist forever unless NIST made some significant changes. They really weren\u2019t able to keep up with the substantial growth that had happened in vulnerability reports. And at the same time, they were missing deadlines that they were setting for themselves on how to resolve this. And so really from the beginning in 2024 all the way through the end of our evaluation in 2026, the backlog had grown from zero all the up to about 27,000. And it was still growing by the time we finished our work.<br \/>\nEric White And when you say the backlog, you mean reported vulnerabilities that just hadn\u2019t been confirmed yet or hadn\u2019t added to the list? What do you mean when you see a backlog?<br \/>\nChuck Mitchell Yeah, exactly. So NIST gets the report and think of it as kind of raw data. And what they do is they go and they look at each one of those, they add four pieces of critical information, and then once that\u2019s added, they publish it out for people to use. So until that actually happens, until they can go in and take a look at that and publish it, it\u2019s just kind of sitting in a queue and there isn\u2019t a lot of visibility and people can\u2019t use it for what they\u2019re trying to do on the defender side.<br \/>\nEric White We\u2019re speaking with Chuck Mitchell. He\u2019s the director for cybersecurity audits and evaluations at the Department of Commerce Office of Inspector General. And how did they, the folks that you spoke with and your own findings, what is the reason for this backlog occurring what was the main thing was it workforce related money related? What were you all thinking?<br \/>\nChuck Mitchell Well, the thing that really kicked off a lot of the backlog, the early on stuff from early 2024 was, they had a contractor that does most of the work for this. So there\u2019s a bunch of analysts in this contract. It expired and they didn\u2019t quickly enough re-award it to a new awardee so that they could pick up the work and that there wasn\u2019t a break in service there. So that\u2019s what started the backlog. At that point, once they had the new contract awarded, the contractor came in, started working through all these vulnerabilities, but there just really wasn\u2019t enough resources available to make this happen in a short amount of time. And ultimately, because the processes were inefficient, which is one of the other things that we found, they just continuously fell behind there.<br \/>\nEric White And let\u2019s talk about this from the other side, the folks that are actually giving this information to NIST. I imagine there was some frustration when they\u2019re trying to say, hey, this vulnerability is there, will you please get it out into the world, let everyone else know?<br \/>\nChuck Mitchell Yeah, and that\u2019s another one of the things that kind of sparked our evaluation here was there was an open letter published, about 50 people in the industry to both NIST and Congress that said, hey, there\u2019s this important thing over here that NIST does. They have a backlog. It\u2019s not getting better. We need some communication on what\u2019s going on here. We need to use this for our systems, and this is causing us problems. So we need more information from you about why, what\u2019s going on here, when\u2019s it going to be resolved, and when can we reestablish that trust in the national vulnerability database.<br \/>\nEric White And I\u2019m curious, going back to the start of the use of this program, is it a victim of its own success, kind of like the cash for clunkers program, where it was never intended to be used this widely, or they didn\u2019t think that this many people would be submitting so much information all the time? Or did they know that this was coming in and this is just a simple drop of the ball of not having enough resources behind it.]]><\/p>\n<p>Chuck Mitchell Well, it\u2019s been kind of growing organically since way back in the late \u201990s. So in one form or another, it started in like 1999, then became more formal in the early 2000s and has since grown. One of the things that\u2019s interesting about this program is NIST doesn\u2019t really control the other side of it, meaning they don\u2019t know what vulnerabilities are gonna be reported. So any vulnerability out there that gets reported, they\u2019re kind of on the hook to do this data gathering and adding to each vulnerability report. So unfortunately, as that grows and as people get better at finding this stuff and reporting it out to the public, NIST now has to go in and take action.<br \/>\nEric White Alright, so let\u2019s get into recommendations here. What else can this do here to improve efficiency and get that backlog down?<br \/>\nChuck Mitchell Yeah, one of the things I mentioned is that they\u2019re part of this whole vulnerability ecosystem. And so one of things we recommended to them was create a strategic plan, recognize where NIST fits in in this overall ecosystem, and then play to the strengths of that particular aspect of it. So that\u2019s the first one. The second one we wanted to see was create a real backlog management plan that is achievable that you can communicate out to people of when this will be resolved and how it\u2019ll be resolved. And then finally, as I mentioned, there was kind of this situation where people were looking at this like, hey, this is critical. We wanna know information about what\u2019s going on when this is gonna happen. And so we recommended that they make a good communication strategy to get that information out to be more communicative to the people that are actually using this day to day.<br \/>\nEric White And I can\u2019t imagine there is much disagreement from them since all of those things sound like it would just make the job easier down the road anyway.<br \/>\nChuck Mitchell No, and they agreed with all of those recommendations. And in a lot of cases, they actually, before our final report even came out, they had announced that they were making some changes.<br \/>\nEric White Gotcha. Okay. And let\u2019s just talk today. This report came out a couple of months ago. Are you already starting to see any improvement? Is it too early to call? And are you going keep on a tally of how big the backlog gets in the future?<br \/>\nChuck Mitchell Yeah, we are kind of keeping an eye on it in the background. One of the things that NIST is required to give us 60 days after the final report is a corrective action plan. So we\u2019re awaiting to see that of like what they\u2019re formally gonna do here. As I mentioned, they\u2019ve already taken some action and so we\u2019ve been keeping an eyes on that. And it does look like it is having an effect. Unfortunately, they didn\u2019t resolve the backlog per se. They rather just deferred it and said, we\u2019re not gonna do that. We\u2019re gonna use this other process where we have a prioritization method in place to take action on the things that are really important that are gonna be affecting defenders. And so rather than waste our time on doing everything, we\u2019re gonna look at the really critical stuff and get those done now.Copyright<br \/>\n                            \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>NIST\u2019s National Vulnerability Database needs some help to continue working https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/nists-national-vulnerability-database-has-largely-been-a-helpful-resource-but-needs-some-help-to-continue-that\/ Publish Date: 2026-07-08 12:56:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":241399,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2026\/06\/GettyImages-1422997178-scaled.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-241398","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241398"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=241398"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241398\/revisions"}],"predecessor-version":[{"id":241400,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241398\/revisions\/241400"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/241399"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=241398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=241398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=241398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}