NIST intends to address the accumulated weaknesses in security assessments
The National Institute of Standards and Technology (NIST) is working diligently to address a substantial backlog of unanalyzed vulnerabilities in the National Vulnerability Database (NVD). This backlog, which has grown significantly over the past year, currently stands between approximately 12,600 to nearly 42,000 pending vulnerabilities, depending on the source and method of counting.
NIST was forced to scale back its activities on the NVD program in mid-February due to a change in interagency funding support and a high number of CVE disclosures. To combat this, NIST awarded a contract to Analygence, a Maryland-based cybersecurity analysis and email support company, to support the processing of incoming vulnerabilities for the NVD. The contract, worth $865,657, was initially awarded in December and includes an option to extend services into July 2025 for up to almost $1.8 million total.
CISA and NIST are also turning to Analygence to bring CVE processing back to normal. In addition, CISA is supporting NIST by providing additional information on backlogged CVEs to facilitate their addition to the database. The technology community relies on information about vulnerabilities to prioritize mitigation and understand risk, and the backlog and growing volume of vulnerabilities create critical challenges for cybersecurity defenders.
Progress in clearing the backlog has been slower than hoped. Estimates in mid-2024 projected the backlog clearance might take about 10-11 months to complete, but recent reports indicate the backlog continues to grow. The discrepancy in backlog size estimates may reflect different definitions or stages of vulnerability processing and ongoing increases in vulnerability disclosures.
Meanwhile, alternative efforts by private sector companies like Phoenix Security and VulnCheck have started to pre-process and enrich vulnerability data to help mitigate the intelligence gap created by the NVD backlog.
Despite the challenges, NIST expects to clear the backlog of unanalyzed CVEs by the end of the U.S. government's fiscal year (September 30). CISA continuously assesses how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities.
In summary, the clearing of the NVD vulnerability backlog by NIST and Analygence is ongoing but behind schedule due to rising submission rates and limited resources. Initiatives like CISA’s Vulnrichment and internal process improvements are underway, but as of July 2025, the backlog remains substantial and growing, with full resolution still months away at best.
- The substantial backlog of unanalyzed vulnerabilities in the National Vulnerability Database (NVD) raises privacy concerns, as vulnerable data and cloud computing systems may be susceptible to cybersecurity threats.
- The technology community is grappling with the critical challenges posed by the growing volume of vulnerabilities in the NVD, as understanding risk and prioritizing mitigation efforts depend on timely and accurate vulnerability information.
- CISA and NIST are working collaboratively with Analygence to address the NVD backlog and decrease vulnerability-related cybersecurity risks, but the backlog remains substantial and growing, potentially placing sensitive data-and-cloud-computing systems in a vulnerable state.
