The NVD Is Not Broken — It Is Architecturally Obsolete

On May 26, 2026, the U.S. Department of Commerce Inspector General published a report that confirms what the security community had been flagging for two years: the National Vulnerability Database has stopped being the authoritative source of vulnerability data that underpinned twenty years of vulnerability management practice. The number that matters from the report is not the 27,000-vulnerability backlog. It is the 12%.

Twelve percent was the rate of agreement on CVSS severity among independent evaluators inside the OIG itself, testing the same set of vulnerabilities. This is not marginal discrepancy. This is a measure the entire cybersecurity ecosystem has treated as objective for two decades, and which behaves like subjective assessment under the U.S. federal government’s own internal testing.

That changes the conversation. The NVD’s problem is not operational. It is architectural.

What the Report Found

The timeline documented by the OIG is direct. In February 2024, the NVD enrichment contract lapsed. Enrichment is the manual process by which NIST analysts add metadata to each incoming CVE: CVSS severity, CWE categorization, list of affected products via a CPE applicability statement, references. Without enrichment, a CVE is an identifier string with no operational context. With enrichment, it becomes an input for vulnerability management automation.

The contract lapsed and the backlog began to grow. NIST announced in May 2024 that the backlog would be cleared by September. There was no internal plan to back the promise. By October, NIST had missed its own target. By the end of 2025, the backlog had passed 27,000 vulnerabilities. For 2026, the OIG projects more than 60,000 reported CVEs across the year, nearly ten times the volume of a decade ago.

Four findings, condensed:

1. NIST had no strategic plan for the NVD when the OIG asked. The internal capacity estimated by the OIG, with the contractor trained and dedicated, was 5,300 vulnerabilities per month, below the 6,200 needed to meet the September 2024 target. The team was not fully trained until November of that year. Of 226 vulnerabilities added to the CISA KEV Catalog between February 2024 and December 2025, 34% did not receive enrichment within a reasonable one-business-day window. The KEV Catalog lists vulnerabilities under active exploitation. U.S. federal civilian agencies have two weeks to remediate them.

2. 80% of analysts’ time is spent on two activities: CVSS calculation and construction of CPE applicability statements. The 12% agreement rate on CVSS scoring among independent OIG evaluators dismantles the premise that NIST’s work adds unique value in that activity. CISA already provides CVSS. Close to 80% of CVE Program participants also include a score in their submission. The OIG estimates USD 800,000 in savings over two years if NIST stops duplicating this activity.

3. NIST and CISA run two parallel enrichment programs, NVD and Vulnrichment, both executed by the same contractor. CISA launched Vulnrichment in May 2024 and invited NIST to issue a joint statement. NIST neither responded nor coordinated. Between May 2024 and December 2025, the OIG identified 21,000 cases of direct duplication, totaling USD 200,000 in documented duplicated spend.

4. Institutional communication failed. An open letter from more than 50 cybersecurity professionals to Congress and the Secretary of Commerce, in April 2024, went without a reply. In an OIG survey of the signatories, 90% reported dissatisfaction with the frequency of updates, and 75% reported relying less on the NVD since the backlog began.

That last number is what matters most to the operator. The market had already moved before the official report.

Why This Is Architectural, Not Operational

The 12% CVSS-scoring agreement exposes something vendors and regulators prefer not to name: centralized CVSS depends more on who runs the score than on the framework itself. CVSS is not a calculation. It is a shared vocabulary for describing attributes of a vulnerability: Attack Vector, Attack Complexity, Confidentiality Impact, and so on. Every metric admits judgment. An analyst reading the same CVE can classify the attack vector as Network or Adjacent depending on architectural assumptions. The result: different scores for the same vulnerability, depending on who is analyzing it.

This does not invalidate CVSS. It invalidates the model of a single federal agency scaling humans to generate the world’s canonical score. The premise that there is a “correct” score collapses when the government’s own internal testing shows 12% agreement. CVSS remains useful as a comparative attribute inside a pipeline. It loses the aura of objective truth that justified federal centralization.

Second problem. NIST and CISA pay the same contractor to do overlapping work. This is not individual agency failure. It is a symptom of fragmented governance. The federal vulnerability ecosystem has effectively federalized over the past five years: CISA took ownership of the KEV Catalog, created Vulnrichment, runs the CVE Program through MITRE. Governance has not kept up. Each agency operates as if it were the sole provider. The market sees two APIs, two databases, two feeds, and has to decide which one to trust for which use.

Third problem. The “humans enrich everything via contract” model has a mathematical ceiling. NIST’s internal capacity with the current team is estimated at 5,300 vulnerabilities per month. The volume projection for 2026 is 60,000 CVEs per year, which is 5,000 per month. That is tight even if NIST works 100% on enrichment, and submissions are not going to stop growing. CVE-2017-0144 (EternalBlue) carries that CVE-2017 numbering because it was the 144th vulnerability reported that year. In 2026, the equivalent number is in the tens of thousands. Same governance structure, orders of magnitude more volume.

Fourth problem. CISA stopped generating CPE applicability statements in December 2024, leaving NIST as the sole government source of that activity. CISA’s stated reason: generating CPE statements consumed too much time. The obvious institutional response would have been to coordinate with NIST and decide how the combined offering would look. That is not what happened. CISA simply stopped. NIST had no capacity to absorb the extra volume. The market found out by feed that the activity had slowed.

Put the four points together and the reading is clear. The NVD was designed for an era of lower volume, within an institutional arrangement where NIST was the only agency producing this information. That arrangement has unraveled at the level of fact but not at the level of model. The OIG identifies the operational symptoms precisely. It does not challenge the model.

What Has Changed for Vulnerability Management Operators

Seventy-five percent of the signatories of the April 2024 open letter say they rely less on the NVD since the backlog began. That number did not come from trade press. It came from the OIG’s own survey of the professionals who signed the letter. These are people running vulnerability management at organizations ranging from software vendors to hyperscalers to governments. When 75% of them reduce their dependence on a source, the ecosystem has already moved.

Multi-source pipelines have become the operational default. In rough order of practical utility for prioritization:

• CISA KEV Catalog: the canonical list of vulnerabilities under active exploitation. Small, curated, with a federal remediation deadline for U.S. civilian agencies. Treat it as a maximum-priority signal independent of CVSS score.
• EPSS (Exploit Prediction Scoring System): a statistical probability of exploitation over the next 30 days, computed by FIRST based on observed exploitation telemetry. Useful for ordering vulnerabilities within the same severity band.
• CISA Vulnrichment: parallel enrichment to the NVD, maintained by CISA. Coverage is focused on critical-infrastructure-relevant vulnerabilities. Good coverage of SSVC (Stakeholder-Specific Vulnerability Categorization), which the NVD does not do.
• GitHub Security Advisories: a database of open-source ecosystem vulnerabilities with CVSS, descriptions, and affected versions. Broad coverage of npm, PyPI, Maven, and Go dependencies.
• Direct vendor advisories: Microsoft Security Response Center, Cisco PSIRT, Red Hat Security Data, Apple Security Updates. When available, these are faster and more precise than the NVD for specific products.

The practical recommendation for the CISO still treating the NVD as single-source ground truth is direct:

• Stop blocking triage waiting on NVD enrichment. If a freshly published CVE affects your inventory, decide based on the vendor advisory, CISA Vulnrichment, or EPSS.
• Use CVSS as a comparative attribute, not as a numerical target. Use bands (Critical, High, Medium) for routing internal SLAs. Do not chase decimals.
• Incorporate KEV into your maximum-priority criterion. If a vulnerability is in KEV, the discussion is about remediation speed, not about whether it is worth doing.
• Use EPSS to order remediation within severity bands. Twenty Critical CVEs in the same quarter? Sort by EPSS.
• Accept vendor-provided CVSS when available. Audit it on a sample basis, but stop waiting for NIST to recompute a value the vendor already supplied.

Operationally, this means standing up a pipeline with at least three sources. Politically, it means dropping “the NVD says X” as an internal argument from authority.

What the Report Does Not Challenge

The OIG’s six recommendations to NIST are reasonable, and NIST concurred with all of them. Strategic plan. Backlog plan with milestones. Formal policy to minimize duplicate CVSS scoring. An efficient mechanism for external CPE contributions. Immediate coordination with CISA. A stakeholder communication strategy.

Carrying out all six will improve operations. It will not change the model. NIST can deliver an NVD with a formalized strategic plan, a cleared backlog, and active communication, and still be just one source among several in a multi-source pipeline. That is not necessarily bad. It is simply a reality the report describes without naming.

The governance question the report leaves open: when the public sector fails to maintain critical cybersecurity data infrastructure, who steps in? Commercial providers offer their own enrichment — Tenable, Mandiant, Snyk, each with proprietary databases. But a public single source of truth still matters for regulation. PCI DSS 4.0, the EU’s NIS2, evolving LGPD requirements in Brazil — they all still reference official CVSS in their text. Reframing the NVD as a multi-source coordination hub rather than a sole producer is a U.S. federal policy decision that has not been made yet.

For operators outside the United States, this matters as well. The regulation now landing in local environments still references the NVD as a source. PCI 4.0 takes effect in many markets in 2026. NIS2 shapes European vendors that sell to the rest of the world. Brazilian sectoral cybersecurity regulation, including BACEN rules for financial institutions, incorporates a vulnerability framework that assumes a public ground truth. Walking away from the NVD operationally is not an option. Walking away from exclusive dependence on it is.

Closing Thoughts

The NVD still matters, but its role has changed. It was once the single source of truth. It is now one source among several, with structural problems the OIG documents precisely and whose underlying solutions the report itself does not propose. Anyone still operating vulnerability management on the opposite assumption is building on ground that has shifted.

For the CISO, three immediate action items:

• Diversify enrichment sources. A pipeline with NVD, Vulnrichment, EPSS, and vendor advisories is more resilient and faster than NVD-only.
• Review internal SLAs that assume real-time NVD data. Many were written when NVD delivered in hours. Today the wait can run to weeks, and some critical vulnerabilities never receive complete enrichment.
• Document, for audit purposes, how you compose your prioritization decision. PCI 4.0 and sectoral regulation will ask.

For regulators and public-sector buyers, a note of caution: the U.S. ecosystem that serves as the reference base for much of global vulnerability regulation is in structural transition. Tying regulatory requirements to the NVD as a single provider, in regulatory text, creates fragility that will carry a cost. Worth watching how NIST and CISA reorganize the model over the next twelve to twenty-four months, and adjusting references accordingly.

The OIG did what was within its remit: it documented the facts and recommended specific fixes. The rest is a discussion about the model. And that discussion belongs to all of us.