Audit Finds NIST Mismanaged the NVD, Leaving SAP Security Teams Exposed

A federal watchdog has now confirmed what SAP security practitioners suspected for more than a year: the National Vulnerability Database (NVD) isn’t just understaffed — it’s structurally mismanaged.

The U.S. Department of Commerce Office of Inspector General (OIG) formally documented the failures at the NVD, a federal data source enterprise security teams rely on to triage and prioritize Common Vulnerabilities and Exposures (CVEs).

The audit, “Evaluation of NIST’s Management of the National Vulnerability Database” (OIG-26-020-I), identifies duplicated contractor work, no formal program planning, and a backlog of unenriched CVEs at the National Institute of Standards and Technology (NIST), which grew from 13,000 in June 2024 to over 27,000 by the end of 2025.

The findings reframe the enrichment slowdown as a governance problem alongside capacity questions — and shift the operational question from when NVD reliability returns to how SAP teams operate without assuming it will.

OIG Audit Confirms Planning and Coordination Failures at NIST

According to the OIG report, NIST lacked a strategic plan for the NVD at the time of the evaluation and began drafting one only after the OIG specifically requested it.

Contractors performed overlapping CVE enrichment work with CISA, which launched its own parallel enrichment program, Vulnrichment, in May 2024.  The OIG identified at least 21,000 instances of duplicated enrichment between the two agencies from May 2024 to December 2025. In some cases, NIST and CISA duplicated work with the same contractor.

The agency also lacked documented performance metrics and contingency planning, as well as any formal program management framework for the database’s operation.

Media coverage has framed the audit as validation of the alarm raised across the cybersecurity community when CVE enrichment slowed sharply in early 2024. CyberScoop reported that the findings substantiate concerns practitioners voiced for more than a year, and The Record characterized the audit as confirmation of structural problems.

Why Inconsistent CVE Enrichment Is a Problem for SAP Security Teams

Enriched CVE metadata is what makes a raw vulnerability identifier operationally useful.

The enrichment layer, as described in the OIG audit, attaches Common Vulnerability Scoring System (CVSS) severity scores, Common Platform Enumeration (CPE) identifiers that map a CVE to affected products or platforms and reference links that connect the vulnerability to vendor advisories and exploit context.

NIST’s new priority criteria focus enrichment on KEV catalog entries, software used by the federal government, and critical systems designated under Executive Order 14028. Enterprise application software — including SAP platforms — sits outside that hierarchy.

As previously reported by SAPinsider, that creates a specific gap for SAP security teams: the enrichment that makes CVE data actionable may not arrive at all for vulnerabilities relevant to their environments. When that enrichment is absent or delayed, the gap lands directly in the prioritization queue — at exactly the point where patch decisions require the most precision.

A More Resilient Approach to Vulnerability Intelligence

A survey of cybersecurity professionals conducted as part of the OIG evaluation found that 75% reported relying less on the NVD since the backlog began. Still, 80% acknowledged the NVD provides unique enrichment data.

That points to the value of adopting a diversified approach to vulnerability intelligence, treating the NVD as one input among several. That means layering multiple sources of vulnerability intelligence so that no single feed’s degradation halts triage.

Under this approach, SAP Notes and the monthly Security Patch Day remain the authoritative source for SAP-specific vulnerabilities. Other intelligence sources add enriched metadata, exploit context, and component mapping. Internal correlation against an accurate system inventory ties it to specific environments.

Broader CVE enrichment services and community feeds round out the picture for the non-SAP software that sits adjacent to enterprise resource planning (ERP) workloads. The OIG’s documented governance failures make single-source dependency on the NVD a riskier design assumption for SAP environments where patch decisions carry operational weight.

No Clear Timeline for Restored Enrichment

The scope of the OIG’s six recommendations — formal strategic planning, backlog management, severity scoring policy, CPE applicability processes, CISA coordination, and stakeholder communication — points to process change. NIST concurred with all six and must submit a corrective action plan by late July 2026.

Michael Daniel, president and CEO of the Cyber Threat Alliance, went further. “Running a long-term, ongoing operational program like the NVD falls more properly in CISA’s mission,” Daniel told The Record. “NIST has significant resource shortfalls.” Whether institutional ownership shifts or NIST executes the OIG’s reform agenda, the timeline for restored enrichment consistency remains open.

That uncertainty raises the operational risk of relying on NVD enrichment as the primary input for SAP security teams. A diversified intelligence posture reduces dependency on a federal data source whose governance is now formally in question.

None of this eliminates the need for the NVD; the database remains a foundational reference. What the OIG audit establishes is that near-term enrichment consistency — particularly for enterprise application software outside federal priority criteria — carries documented governance risk. Building a vulnerability management workflow that accounts for that reality is now an ongoing requirement for SAP security teams.

What This Means for SAPinsiders

• SAP security teams need a documented fallback for NVD gaps. Vulnerability management programs that treat a single federal data source as authoritative carry governance risk. Documenting alternative enrichment sources and the conditions under which they apply converts that risk into a manageable process decision.
• Historical CVE coverage deserves a second look. The backlog period means some vulnerabilities affecting SAP environments may have been assessed without complete enrichment data. Periodic retrospective reviews of CVEs disclosed during high-backlog periods can surface gaps that active monitoring may have missed.
• Vendor selection criteria for security tooling should reflect NVD uncertainty. When evaluating vulnerability management platforms, SAP security teams benefit from assessing how each tool sources and supplements CVE enrichment independently of the NVD. That capability is now a functional differentiator, not a premium feature.