Skip to content
NIST
OrganisationUS

NIST

US federal standards body maintaining vulnerability scoring (CVSS), CVE enrichment and SBOM frameworks relied on by private-sector security programmes.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

What happens to enterprise patch triage if NIST's vulnerability database funding is cut?

Timeline for NIST

#117 Apr

Mentioned in: 17-year-old Office RCE back on KEV

Cybersecurity: Threats and Defences
#117 Apr

Trump proposes $707m CISA cut, 860 jobs

Cybersecurity: Threats and Defences
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
What is NIST and what does it have to do with cybersecurity?
NIST is the US National Institute of Standards and Technology. In cybersecurity, it maintains the Cybersecurity Framework (CSF), the National Vulnerability Database (NVD) with CVSS scores, and Software Bill of Materials guidance used globally for patch triage and supply-chain security.
Is NIST being defunded under Trump?
NIST is within the Trump FY27 federal budget cuts envelope. The specific impact on NVD, CVSS enrichment and SBOM programmes had not been quantified at the time of this update.Source: Trump FY27 budget proposal

Background

The National Institute of Standards and Technology (NIST) maintains the vulnerability-scoring standards, CVE enrichment and Software Bill of Materials (SBOM) frameworks that underpin private-sector patch-triage decisions. Under the Trump FY27 budget proposal, NIST is inside the broader cuts envelope affecting federal science and standards agencies, raising concerns about continuity of the NVD (National Vulnerability Database) and SBOM guidance programmes relied on by enterprise security teams.

NIST's Cybersecurity Framework (CSF) is the primary voluntary standard used by US critical infrastructure operators. The National Vulnerability Database, which NIST maintains, provides the CVSS scoring and CVE enrichment data that security tools, patch management platforms and GRC systems ingest daily. SBOM guidance published by NIST forms the backbone of software supply-chain transparency requirements now appearing in federal procurement rules.

For enterprise security teams, any reduction in NVD staffing or SBOM programme output would create a gap in the data pipelines that drive automated patch prioritisation. The CVSS scoring that distinguishes a 9.8 RCE from a medium-severity DoS — a distinction that matters operationally, as the F5 reclassification demonstrated — depends on sustained NIST resourcing.