The National Institute of Standards and Technology is reevaluating its role in analyzing software vulnerabilities as it tries to meet skyrocketing demand for vulnerability analysis and reassure partners about the government’s continuing commitment to the program that catalogs those flaws.
“We’ve been doing more and more thinking about the [National Vulnerability Database] and, strategically, how we’re planning on moving forward,” Jon Boyens, the acting chief of NIST’s Computer Security Division, told members of the agency’s Information Security and Privacy Advisory Board during a quarterly meeting on Thursday.
NIST’s strategic review of the NVD — which adds detailed information to flaws listed in the federally funded Common Vulnerabilities and Exposures catalog — comes as cybersecurity experts increasingly question the government’s role in managing the CVE ecosystem. NIST for years has been unable to keep up with the flood of vulnerabilities requiring analysis, and a 2025 controversy over a near-lapse in government funding for the CVE catalog intensified concerns about the fate of a critical cybersecurity resource.
“We’ve been kind of caught on our heels for the last year and a half,” Boyens, whose division manages the NVD, told board members on the second day of their quarterly meeting.
For years, Boyens said, vulnerabilities have been arriving in the database much more quickly than NIST can analyze them and provide detailed information about them, a process the agency calls “enrichment.” That work is “very labor-intensive” and “not scalable to the amount of CVEs that we’re getting in there,” Boyens explained. “We’re fighting a losing battle. We recognize that.”
Triaging flaws
To solve this problem, NIST will begin prioritizing which vulnerabilities it enriches based on several factors, including whether a vulnerability appears in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, whether it exists in software that federal agencies use and whether it exists in software that NIST defines as critical.
“All CVEs aren’t equal,” Boyens said. “We’re in the process of defining that prioritization. We’ve had an informal prioritization for a while. We want to formalize it now.”
NIST is also trying to shift expectations around enrichment by discouraging the use of the word “backlog” for unenriched vulnerabilities. “We’ll have to find another term,” Boyens said. “I don’t think it serves our mission or our stakeholders to try to go back and enrich every CVE that is out there or that has ever been submitted.”
Shifting responsibility
At the same time, NIST is reconsidering its role in the vulnerability analysis ecosystem. The agency intends to publish a strategy and implementation plan to guide this review, and once it gets hiring authority from the Trump administration, it will hire a program manager to lead the process.
As part of the review, NIST will engage with its partners — other agencies, private companies, and independent researchers — to understand how they use the NVD and what kinds of information they want it to provide.
“A lot of the things that we enrich the CVEs with, we’ve been doing, but we actually don’t have an understanding if those are really useful,” Boyens said.
The review, he said, will involve “both finding out what the broader community needs and then where NIST fits in that ecosystem.”
NIST’s goal is to transfer the vulnerability-enrichment work to the CVE Numbering Authorities (CNAs), which validate CVEs and assign them unique identifiers. But before that can happen, Boyens said, NIST needs to write guidance for the CNAs on how to do enrichment.
When NIST finally transfers that work to the CNAs, Boyens said, it will represent “a large reset” for the agency, which has analyzed vulnerability data for more than 20 years. The NVD program has always been an outlier within NIST’s cybersecurity portfolio, which consists mostly of research and standards-setting activities rather than operational projects.
“Our foundation is research, development, and moving [the] application [of technology] out to the broader marketplace,” Boyens said. “The operational side, we’ve found very costly and outside of our bailiwick.”
“We want to get back to what NIST’s core functions are,” he added.
Collaboration or competition?
During Thursday’s meeting, advisory board members asked Boyens about other vulnerability-analysis projects that have sprung up in the wake of the near-collapse of the CVE program.
CISA, which funds the CVE database, has tried to demonstrate its commitment to the issue by launching its own “Vulnrichment” project. But Boyens sounded skeptical of that effort, telling board members, “I don’t think it’s a solution to the [NVD] backlog. I think we’ve found that there’s some duplicative efforts there.” NIST and CISA staff are planning to meet in the coming days to “do a better job of coordination,” he added.
Boyens also expressed concern about a new European vulnerability database, the Global CVE Allocation System (GCVE), which launched in response to concerns about the U.S.-funded system. NIST plans to meet with GCVE’s operators “to make sure that we’re not balkanizing the entire process throughout the community,” Boynes said.
Meanwhile, the Commerce Department’s inspector general is still auditing the NVD in response to concerns about the backlog. Boyens expressed hope that the audit, which he said had taken up “a lot of our time,” would “be concluding shortly.”
