In a posting on CyberSecurityDive.com Jan 23, 2026, NIST is finally talking about the situation with the National vulnerability database, the NVD.
For years, Boyens said, vulnerabilities have been arriving in the database much more quickly than NIST can analyze them and provide detailed information about them, a process the agency calls “enrichment.” That work is “very labor-intensive” and “not scalable to the amount of CVEs that we’re getting in there,” Boyens explained. “We’re fighting a losing battle. We recognize that.”
While most of the vulnerability community has understood that the NVD will never catch up, there has been a lack of communication from NIST about the problem. The lack of enrichment has kept many systems in the dark, as the SBOM component names did not match all vulnerabilities, due to lack of proper naming of vulnerable products and libraries. During this time, the CVE program has encouraged the CVE Naming Authorities to step up and enrich all the CVEs at publication time. CISA has also stepped in and added some enrichment, but it does not cover all CVEs.
Patrick Garrity commented on LinkedIn:
I find it interesting that National Institute of Standards and Technology (NIST) is discouraging the use of the word “backlog” after facing resource limitations for nearly 2-years.
I appreciate they are finally acknowledging the challenges they’ve had in setting expectations and dealing with resource limitations. I’m still concerned about their ability to modernize and address real risk that goes overlooked.
The important part is that all affected products are found when checking a Software Bill of Materials (SBOM) with a vulnerability database. Without the National Vulnerability Database (NVD), it’s critical that some organisation steps forward to make our SBOMs operational again.
