In response to ongoing issues with a significant backlog of unexamined vulnerabilities, the US government has launched an audit of the National Institute of Standards and Technology’s (NIST) management of its National Vulnerability Database (NVD). The audit, announced by the Department of Commerce’s Office of Inspector General (DoC IG) on May 20, 2025, will focus on evaluating NIST’s processes for handling NVD submissions and addressing delays that have plagued the database over the past year.
Background of the NVD Backlog
The NVD, a key resource in the cybersecurity landscape, is responsible for maintaining an up-to-date record of publicly disclosed cybersecurity vulnerabilities. However, over the past year, the database has faced challenges due to the termination of a crucial contract that supported its operations. This disruption has resulted in a growing backlog of vulnerabilities that remain unexamined, creating a bottleneck in the analysis process and leaving new vulnerabilities unchecked.
This backlog issue has become a point of concern for both cybersecurity professionals and the US government. The lack of timely analysis could lead to increased exposure to cyber threats, as vulnerabilities remain unaddressed for extended periods. The audit will focus on NIST’s ability to manage the increasing volume of submissions and whether its existing backlog reduction strategies are effective in addressing this issue.
Purpose of the Audit
The audit, as outlined in the announcement memo from Kevin D. Ryan, Acting Assistant Inspector General for Audit and Evaluation at the DoC IG, aims to assess the effectiveness of NIST’s management processes and identify areas for improvement. Specifically, the audit will examine the long-term effectiveness of NIST’s strategies for reducing the vulnerability backlog and preventing future delays in processing.
According to the memo, the audit team will start their work immediately. They plan to engage NIST’s audit liaison to schedule a meeting and discuss the specifics of the audit, including the objectives, scope, timeframes, and potential data requests.
NIST’s Response to the Backlog
In response to the backlog, NIST has already begun implementing measures to improve the processing of vulnerabilities. In April 2025, during the VulnCon conference, Tanya Brewer, NVD Program Manager, and Matthew Scholl, Chief of the Computer Security Division at NIST, shared updates on improvements within the NVD program. These updates included plans to automate more data analysis tasks and explore the use of AI-powered methods to assist in faster vulnerability analysis.
Despite these efforts, the backlog remains a significant issue, and the audit is expected to provide a comprehensive review of the existing processes, with an eye toward long-term solutions to ensure the NVD remains efficient and responsive to the ever-growing volume of cybersecurity threats.
Looking Forward
As part of the audit process, the DoC IG has emphasized the importance of enhancing NIST’s vulnerability management processes to prevent further delays in the submission and analysis of vulnerabilities. The audit is expected to provide insights into how NIST can streamline its operations and implement more effective strategies for vulnerability assessment, ultimately helping to mitigate cyber risks across the country.
With NIST continuing to refine its systems, the US government’s audit could be a key step in ensuring the NVD’s long-term sustainability and effectiveness in protecting the nation’s cybersecurity infrastructure. The findings of this audit are expected to inform policy changes and guide future investments in vulnerability management.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
