CVSS: NIST restricts evaluation of IT security vulnerabilities

Contents

The US National Institute of Standards and Technology (NIST) will largely cease evaluating IT security vulnerabilities with the known CVSS severity levels. This is one of the measures with which NIST aims to combat the growing backlog in its National Vulnerability Database (NVD). How this is compatible with the legal obligation to calculate CVSS (Common Vulnerability Scoring System) remains open – but where there's no plaintiff, there's no judge.

The NVD builds on CVE. CVE (Common Vulnerabilities and Exposures) is a system for standardized identification of IT security vulnerabilities. NIST takes over the CVE entries and enriches them with detailed threat information, notes on available updates, and other recommendations for action. This includes an assessment according to CVSS of how severe the problem is, as well as the creation of a machine-readable list of affected software. For example, a bug in a code library can affect numerous programs from very different manufacturers that use this library.

IT security officers, but also journalists like us at heise security, use the NVD to look up current threat details. In addition, there is automated evaluation of NVD entries. As of April 2026, an average of more than 300,000 unique users have used NVD per day, with query traffic summing up to 22 terabytes daily. The intensive use shows how important the service is for improving IT security.

Underfunded and ill-prepared

The problem: NIST is not receiving enough budget to operate the NVD. The number of reported security vulnerabilities is constantly increasing, but the staffing levels are not. And so, the backlog of 13,000 analyses in June 2024 grew to around 27,000 by September 2025, despite previous efforts by NIST. In the last quarter of 2025, NIST likely managed to keep the backlog stable.

Now, the US Department of Commerce's Inspector General is pushing for restrictions. It estimates that more than 60,000 vulnerabilities will need to be analyzed in 2026. For comparison: ICAT (Internet Category of Attack Toolkit), the predecessor of NVD, began its work in 1999 and only reached the mark of 5,000 entries three years later.

The report criticizes NIST for a lack of strategic planning. This is undeniable: due to budget regulations, NIST was only allowed to commission small companies to manage the NVD. However, at the beginning of 2021, the contractor was acquired by a larger company, which is why the contract had to expire three years later. But in the fall of 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) stopped its financial contributions to the operation of the NVD.

As a result, the work stalled from February 2024 onwards, and the backlog began. While the Inspector General acknowledges the financial problem, they accuse those responsible of reacting too late. The contract with a new service provider was only concluded in May 2024, and the training of employees was completed in November of that year. NIST now promises a strategy and a management plan to work through the backlog.

Now the manufacturer's CVSS proposal applies

In addition, the Inspector General accuses NIST of wasting money, albeit to a modest extent: The calculation of CVSS is usually unnecessary because the publishers of the respective software already provide a CVSS score themselves. However, the independent calculation is valuable, as software publishers tend to downplay errors in their products. For this open secret, NIST did not provide any evidence during the audit, which is why the report explicitly does not consider it.

By ceasing CVSS scoring, NIST can save 800,000 US dollars within two years. NIST is trying to strike a balance: routine CVSS calculation will be stopped immediately. Only if the score provided by the manufacturer is significantly inconsistent with the standard or publicly available information will NIST "perhaps" still calculate a score – otherwise, only upon explicit request. In the meantime, the institute is looking for a way to calculate CVSS automatically.

NIST NVD v CISA Vulnrichment

NIST has allegedly wasted another 200,000 US dollars because CISA has been running a parallel project called Vulnrichment since May 2024. In fact, NVD and Vulnrichment overlap: both secure sources of vulnerability information, assess their severity according to CVSS, and categorize them according to CWE. (CWE stands for Common Weakness Enumeration. This deals not with individual vulnerabilities, but with categories of common weaknesses in hardware and software.)

However, only in the NVD can one read which products are affected by a vulnerability. For this purpose, NIST maintains CPE (Common Platform Enumeration), a standardized list of software names and versions – after all, it's not enough to write "calculator vulnerability in Windows." Vulnrichment lacks this important information, but CISA calculates a second severity score called SSVC (Stakeholder-Specific Vulnerability Categorization), which is intended to show software administrators how urgent the problem is in their specific deployment scenario.

While NIST is legally obligated to maintain the NVD, CISA operates Vulnrichment on its own initiative. Why NIST should have wasted 200,000 dollars and not CISA is not explained in the report. Nevertheless, NIST promises to improve cooperation with CISA. Furthermore, NIST hopes for a tool that will allow reporting companies to self-report in a CPE-standardized manner which programs are affected by a specific security vulnerability.

Another point of criticism is poor communication. A particular highlight is an open letter from more than 50 IT security experts, which addressed the backlog and lack of transparency in April 2024. NIST has never responded to it. Now, it at least intends to develop a communication strategy.

• Evaluation of NIST’s Management of the National Vulnerability Database dated May 26, 2026, Az. OIG-26-020-I, including NIST's response

(ds)