Inter-agency squabbles
The Inspector General’s report blamed NIST for a variety of management and strategy shortcomings.
“NIST’s lack of strategic planning and decisive action have allowed the backlog of unprocessed vulnerabilities to continue growing,” the report said, pointing out that NIST and the Cybersecurity and Infrastructure Security Agency (CISA) are operating two vulnerability enrichment programs with significant overlap, leading to duplicated efforts and waste of approximately $200,000 since May 2024. Additionally, it said, NIST’s insufficient communication has frustrated stakeholders and decreased confidence in the NVD.
The report also said, “NIST must improve the efficiency of enrichment processes to ensure sustainability. We estimate that NIST could put approximately $800,000 to better use over the next two years.”
It also attributed some of the issues with the vulnerability identification programs to bureaucratic infighting over the years, pointing out that for two years, CISA has been independently providing nearly all of the same enrichment data as NIST.
