The National Institute of Standards and Technology (NIST) is struggling. It faces a growing backlog to process data in its vulnerability repository, which publicly shares information assessing and detailing mitigation solutions against new cyber exploits. With nearly 1,800 new reported vulnerabilities sitting in a queue for analysis this year, delays in processing leave the United States increasingly vulnerable to emerging threats.
As Cyber Threats Escalate, the National Vulnerability Database Is Falling Behind
In 2025, the National Vulnerability Database (NVD) backlog has worsened as the volume of vulnerabilities for analysis continues to outpace its processing capacity. Since its inception in 2005, the NVD has served as a critical resource for cataloging and providing further contextual analysis for newly discovered Common Vulnerabilities and Exposures (CVEs), which are publicly known security flaws in computer systems that hackers can exploit. By sharing unique identifiers to each vulnerability, CVEs provide organizations information to assess risks and deploy necessary security patches.
Funding Shortfalls Have Stalled Progress
Budget constraints have limited NIST’s ability to scale operations, compounding the problem. In February 2024, NIST temporarily halted CVE submissions, citing limited capacity for analysis. In May 2024, to prevent further delays, NIST awarded an $870,000 contract to a cybersecurity firm, Analygence, to assist with processing efforts.
Just two months later, NIST optimistically forecasted that all pending analyses would be completed by March 2025, but a 32 percent increase in submissions in 2024 quickly derailed those expectations.
Threats Are Outpacing Interventions and Straining NIST’s Capacity
At a December 2024 hearing of the House Committee on Science and Technology, a NIST official conceded that NIST had hoped to help the NVD “return to pre-February 2024 processing rates,” but the surge in vulnerabilities had outpaced their efforts. While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025, this funding remains a fraction of the $300 million to $400 million estimated to be needed annually to fully restore capacity, with an additional $120 million to $150 million required to prevent further system “deterioration.” However, the likelihood of securing adequate funding remains bleak, as NIST braces itself for job cuts by the Trump administration.
Recognizing the growing crisis, in September 2024, House lawmakers introduced a bipartisan bill aiming to modernize the NVD with AI automation systems. However, progress on the legislation has stalled, and NVD data shows efficiency rates are continuing to drop, with processing delays worsening month over month in 2025. Furthermore, cyber threats continue to increase, with half of this year’s backlog submitted in this month alone. Without a long-term solution, delays in vulnerability analysis will leave critical blind spots in the nation’s cyber defenses, allowing adversaries to stay ahead.
Restoring NIST’s Capacity Will Require Congressional Action
To address this issue, the Trump administration and Congress must ensure NIST has adequate resources to manage the rising volume of vulnerabilities efficiently. This would include investments to expand its workforce and legislation to support the use of automation tools to accelerate CVE processing. At the same time, NIST should continue to identify inefficiencies and resource gaps that must be addressed to enhance NVD’s long-term efficiency while continuing its collaboration with the private sector to reduce the backlog. Without congressional intervention, security gaps will continue to widen, increasing the risk of cyberattacks against businesses, government agencies, and U.S. critical infrastructure.
Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from the author and CCTI, please subscribeHERE. Follow Jiwon on X@jiwonma_92. Follow FDD on X@FDD and@FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.