The guidance aims to establish product cybersecurity requirements for IoT devices integrated into federal agencies’ networks.

The post NIST Opens Updated IoT Security Guidance to Public Review appeared first on SecurityWeek.

A Department of Commerce inspector general report released Thursday found that the National Institute of Standards and Technology has mismanaged a critical cybersecurity vulnerability database through poor planning, inefficient operations, duplicate federal programs, and failure to communicate with users.

The National Vulnerability Database, maintained by NIST since 2005, collects information about computer security flaws and adds details like severity ratings and affected products. This information helps cybersecurity professionals across government and the private sector decide which security problems to fix first. In February 2024, the database’s enrichment contract lapsed, creating a backlog of unprocessed security flaws that has only grown worse.

The report identified the lack of strategic planning as a core problem. NIST leaders admitted they had no long-term plan for clearing the backlog, even as it grew from about 13,000 unprocessed security flaws in June 2024 to over 27,000 by the end of 2025.

NIST publicly promised in May 2024 that it would clear the backlog by September 2024, setting a goal of processing 6,200 security flaws per month, but the agency had never processed more than 5,000 per month in the past.

The report found major inefficiencies in how NIST enriches the information that is attached to the vulnerabilities. 

Analysts spend about 80% of their time on two tasks: calculating severity scores and identifying which products are affected. The inspector general’s office tested NIST’s severity scores and found they matched independent evaluators only 12% of the time. Also, nearly 80% of vulnerability submissions already include these scores from the companies that are responsible for the software. This means NIST is doing work that is often unnecessary and inconsistent. The inspector general proposed cutting back on severity score calculation work over the next two years, estimating that NIST would save $800,000 that it could redirect to other program areas.

Another efficiency problem highlighted is the program’s manual process for identifying affected products. Creating these standardized product identifiers takes a lot of time and keeps analysts from clearing the backlog. NIST is developing tools to make this faster, but it remains a major slowdown.

The report also found major duplication between two federal security programs. When the Cybersecurity and Infrastructure Security Agency launched its own Vulnrichment program in May 2024, there was no coordination between the agencies, leading to NIST analysts sometimes repeating work that CISA analysts had already completed. Additionally, the two agencies even hired the same contractor for portions of the same work. The inspector general found at least 21,000 cases of duplicated work between May 2024 and December 2025, wasting approximately $200,000 in the process.  

Communication failures have made the problems worse. In April 2024, over 50 cybersecurity professionals sent an open letter to Congress complaining that NIST was not being transparent about the database’s problems. Neither NIST nor the Department of Commerce answered the letter.

Vulnerability database programs managed by the federal government have been a point of contention for the cybersecurity community over the past two years. Earlier this year, NIST announced that it has narrowed its priorities for the NVD, focusing only on vulnerabilities in CISA’s KEV catalog, software used by the federal government, and critical software identified under Executive Order 14028.

A similar program that serves as a catalog of known security flaws, the Common Vulnerabilities and Exposures (CVE) list, has had similar issues over the past few years. That program, run by CISA, narrowly escaped a sudden demise when a last-minute, 11-month contract extension averted a shutdown in April 2025. Since then, several competing databases from European nonprofits and other private entities have been stood up in order to better coordinate how vulnerabilities are tracked, disclosed, and ultimately patched.

The inspector general recommended that NIST create a long-term plan for the database, set up a plan to clear the backlog with specific goals, cut back on unnecessary severity score work, make it easier for outside companies to help identify affected products, immediately start working with CISA to stop duplicating work, and develop a plan to communicate better with users.

NIST agreed with all six recommendations and said it is working on them. The agency must submit a plan showing how it will address these problems by late July.

You can read the full report here. 

The post Federal audit reveals NIST’s NVD is plagued by poor planning and duplication appeared first on CyberScoop.

Today’s enterprise executives are navigating a complex landscape of AI-driven challenges, but none is more urgent than the rapid escalation of AI-generated fraud.

Fraudsters are weaponizing generative AI to automate impersonation and mass-produce synthetic identities at a scale and pace that is rendering enterprises’ long-standing defenses obsolete. This is no longer a slow-moving game of cat and mouse; it is a high-velocity arms race.

To protect the integrity of their platforms, enterprise leaders — particularly in critical infrastructure sectors — must move beyond periodic risk assessments and begin leveraging a new generation of tools that enable defenses to iterate in days rather than months.

Generative AI as a fraud multiplier

While legitimate businesses use generative AI for efficiency, fraudsters exploit it to scale their attacks. We are witnessing a 100-fold increase in synthetic identities and a sevenfold rise in deepfake-driven impersonations over the past 24 months. Deloitte’s Center for Financial Services predicts AI-enabled fraud losses could reach $40 billion in the U.S. by 2027, up from $12.3 billion in 2023.

This is no longer just a back-office technical issue; it has become a top concern for leadership across banks, fintechs, and telcos. Three-quarters (72%) of business leaders anticipate AI-generated fraud, including deepfakes, will be a top operational challenge in 2026, according to an Experian report. Nearly half (46%) of businesses surveyed by Incode in 2025 reported an annual increase in deepfake and generative AI fraud.

Bad actors can now perpetrate fraud at scale by targeting multiple victims at the same time using the same or fewer resources. Consequently, the stakes have escalated rapidly. Enterprises must now find more effective ways to distinguish between reality and fiction before these attacks compromise trust, revenue, and operational continuity.

The new arms race

Fraud prevention has always been a constant game of leapfrog. Now, however, enterprises must adopt highly advanced defenses as they work to thwart fraudsters who have access to the same AI tools and no legal guardrails.

By some estimates, 80% of fraud is easily detectable, while the remaining 20% requires high-level expertise. That’s where most vendors’ performance fails. Sophisticated fraudsters are not only more capable of impersonating identities but are also increasingly networked, sharing intelligence on how to bypass specific company defenses.

Agility as the primary security metric

In this environment, the “7-Day Benchmark” is essential. A defense model must be able to identify a new attack vector, retrain its data sets, and deploy an updated mitigation model within 7 to 10 days. 

One reason so many organizations remain vulnerable to this new generation of attacks is that they rely on third-party vendors whose update cycles can take months to test and deploy. Modern defense requires an approach like Deepsight: a combination of machine learning, behavior checks, and device checks that identify camera injections and synthetic document fraud and verify that the user is a real person.

Defense checklist: 4 questions for every vendor

To narrow this “velocity gap,” executives need to take a closer look at how well equipped their providers are to address this new generation of threats.  Here are four pointed questions to explore:

1. “How accurate is your facial recognition capability? And what third-party certifications do you hold for mobile environments?” Executives should look for solutions that have been independently validated against the most rigorous international standards for biometric spoof testing—such as iBeta Level 3 compliance on both iOS and Android—that simulate well-resourced attackers using professional-grade, hyper-realistic masks.
   • While many providers struggle with consistency across various devices, a top-tier solution will achieve a 0% error rate. (In a 2024 National Institute for Standards and Technology (NIST) evaluation of 158 different developers, using galleries of mugshot, Visa, and Border images, Incode ranked #1 out of all full solution identity verification providers.) 
   • Also, assess the accuracy and performance of algorithms used in facial analysis across a range of use cases, including age estimation, ensuring the technology is unbiased and highly accurate across diverse user populations. (Once again, Incode scored top marks in NIST’s Face Analysis Technology Evaluation for achieving the lowest error and false-positive rates.)
2. “How do you measure and report your own error rates?” Demand a rigorous, audited approach that provides clear metrics on false positives and false negatives for every session.
3. “Do you own your technology or license it?” This determines the speed of iteration. Updates should happen internally in days, not over months-long development cycles dictated by a third party.
4. “How does your network share intelligence to flag repeat offenders?” Inquire whether the vendor can cross-share biometric, VPN, and network data across their entire client base to proactively block known fraudsters before they hit your system.

(For a more complete guide on selecting an identity verification vendor, we recommend getting a complimentary copy of the Gartner Magic Quadrant for Identity Verification.)

Secure your defenses against AI-enabled fraudsters

The era of treating identity verification as a static compliance checkbox is over. As the internet makes identity spoofing easier than ever before, the burden is on leadership to ensure their defenses can evolve at the speed of the adversary.

Audit your vendor ecosystem today: Demand proprietary technology that iterates in days, insist on top-tier independent certifications for mobile environments, and prioritize networks that share real-time intelligence. Organizations that treat trust as a core strategic capability will thrive; those that remain reactive will find themselves increasingly vulnerable in a world where reality is becoming ever more malleable.

Fernanda Sottil is Senior Director of Strategy at Incode Technologies, a leading identity verification company.

Learn more: Find out how Incode helps leading organizations eliminate fraud before it happens.

The post Weaponized AI: The new frontier of fraud and identity spoofing appeared first on CyberScoop.

The average cyberattack costs for a small- or medium-size business is more than $250,000. The salary for a chief information security officer (CISO) is about the same, pulling in between $250,000 and $400,000, according to the annual 2026 CISO Report from Sophos and Cybersecurity Ventures. Small- and medium-size businesses (SMBs) know they cannot afford the salary, so they roll the dice, hoping they will not be attacked. This is a dangerous gamble that these businesses, which make up the backbone of the American economy, should not have to take. A virtual (vCISO) or fractional CISO (fCISO) can provide a practical solution.

As the American economy goes digital, SMBs now rely on the same building blocks as big enterprises — cloud services, payment systems, remote access, customer data, and other third-party vendors.  But without senior cyber leadership, cybersecurity often becomes a patchwork of tools, checklists, insurance paperwork, and whatever guidance a vendor offers. That may get these companies through a questionnaire; it will not build real resilience. Nearly half, all reported cyber incidents, which is projected to cost the global economy $12.2 trillion annually by 2031, involve smaller firms.

The threat is growing in both size and sophistication. Adversaries are deploying AI to automate reconnaissance, develop malware, and run phishing campaigns at scale.  This reduces the cost and skill needed to target smaller firms at volume. Adversaries are also collecting encrypted data with the intent to decrypt it later when they have access to large enough quantum computers. SMBs in defense, healthcare, and financial supply chains often hold sensitive credentials that provide access into larger enterprise environments, but most are not prepared to adopt quantum-resistant encryption.

SMBs generally understand they face cyber risk. The real gap is leadership: someone who can turn technical vulnerabilities into business decisions, set priorities, brief executives, prepare for audits, and hold vendors accountable. For more SMBs, hiring a full-time CISO is financially unrealistic.

A Virtual CISO provides remote, on-demand cybersecurity leadership and advice, typically supporting several organizations at the same time. A fractional CISO is a dedicated, part-time executive who is more deeply integrated into one organization’s governance, security planning, and day-to-day operations. Both models give smaller organizations access to senior-level cybersecurity expertise in a flexible, more affordable way than hiring a full-time CISO.

Washington should make it easier for SMBs to hire fractional cybersecurity leaders, because the private market is not closing this gap on its own. The Cybersecurity and Infrastructure Security Agency (CISA) and the Small Business Administration (SBA) could help by publishing buyer guidance: vetted criteria for evaluating providers, example scopes of work and deliverables, and real-world case studies that show SMB owners what a high-quality vCISO or fCISO engagement should look like.

Clear guidance matters because many smaller firms cannot easily tell the difference between true cybersecurity leadership and a tool reseller, compliance-only consultant, or a generic managed services contract. Any vetted provider criteria should emphasize proven experience building and running security programs, independence from vendor incentives and product quotas, and the ability to tie security investment to real business risk, not just a list of certifications. Model scopes of work should also spell out the basics every engagement should deliver: an initial risk assessment, a prioritized remediation roadmap, and simple metrics that show whether security is improving over time. Without clear buyer criteria, federal efforts could end up funding low-quality services that add cost and paperwork without making companies safer.

The National Institute for Standards and Technology (NIST) should recognize these CISO models in its SMB-focused Cybersecurity Framework guidance. That would help smaller firms turn the framework’s Govern, Identify, Protect, Detect, Respond, and Recover functions into a clear, accountable leadership structure. This would make these roles less abstract: the point is not merely providing advice, but taking executive-level ownership of risk priorities, vendor oversight, incident readiness, and communication with the owner or board.

Congress and the Treasury Department should consider targeted tax incentives or credits for qualified cybersecurity leadership services, tied to measurable risk-reduction outcomes. Eligible activities could include completing a risk assessment, building a incident response plan, conducting vendor security reviews, running employee training, and producing a remediation roadmap. SMBs often defer cybersecurity because every dollar competes with payroll, inventory, and growth. A targeted incentive would make security leadership easier to justify as a business investment rather than an optional add-on.

Federal acquisition officials should require contractors that handle sensitive government data to show it has executive-level cybersecurity oversight, whether it is full-time, virtual, or fractional, and should extend that expectation down to relevant subcontractors and suppliers. This is necessary because SMBs serve as entry points into defense, healthcare, financial, and critical infrastructure supply chains.

Finally, CISA and the SBA should support vCISO- and fractional-CISO-led workforce training. Employees improve security when training comes with leadership, regular reinforcement, and clear accountability, not just annual awareness training. The aim is not to turn every SMB into a Fortune 500 security shop. It should be to give smaller firms access to the leadership they need before the next incident forces the issue.

Georgianna Shea, who is a Doctor of Computer Science, is chief technologist at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab, where Cason Smith served as a summer 2025 intern. Cason is studying integrated information technology at the University of South Carolina.

The post The missing cybersecurity leader in small business appeared first on CyberScoop.

To optimize management of CVE volume, entries that do not meet specific criteria will not be automatically enriched.

The post NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software appeared first on SecurityWeek.

The federal agency tasked with analyzing security vulnerabilities is overwhelmed as it and other authorities struggle to keep pace with a flood of defects that grows every year. The National Institute of Standards and Technology announced Wednesday that it has capitulated to that deluge and narrowed the priorities for its National Vulnerability Database.

NIST said it will only prioritize analysis for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, software used in the federal government and critical software defined under Executive Order 14028.

The federal agency’s goal with the change is to achieve long-term sustainability and stabilize the NVD program, which has encountered previous challenges, notably a funding lapse in early 2024 that forced NIST to temporarily stop providing key metadata for many vulnerabilities in the database.

The agency still hasn’t cleared a backlog of unenriched CVEs that built up during that pause and grew since then. 

NIST said it analyzed nearly 42,000 vulnerabilities last year, adding that CVE submissions surged 263% from 2020 to 2025. “We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” the agency said in a blog post announcing the change. 

Indeed, vulnerabilities are increasing across the board. For instance, Microsoft addressed 165 vulnerabilities Tuesday, its second-largest monthly batch of defects on record.

NIST said CVEs that don’t fit its more narrow criteria will still be listed in the NVD, but they won’t be automatically enriched with additional details. 

“This will allow us to focus on CVEs with the greatest potential for widespread impact,” the agency said. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

Researchers and threat hunters who analyze vulnerabilities for CVE Numbering Authorities (CNA) and vendors that publish their own assessments view NIST’s new approach as inevitable.

“They had to do something. NIST was woefully behind on classifying CVEs and would likely never have caught up,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.

“I’m not sure if it was a herculean task or a sisyphean one, but either way, they were set up for failure under their previous system. This change allows them to prioritize their work,” he added.

NIST’s new approach will impact the vulnerability research community at large, but also put more private companies and organizations in a position to gain more authority as defenders seek out more alternative sources.

Caitlin Condon, vice president of security research at VulnCheck, previously told CyberScoop that prioritization remains a problem, with too many defenders paying attention to vulnerabilities that aren’t worth their time. 

Of the more than 40,000 newly published vulnerabilities that VulnCheck cataloged last year, only 1% of those defects, just 422, were exploited in the wild. 

NIST is also trying to reduce other duplicitous efforts with its new approach, effectively leaning even more on CNAs. CVEs that are submitted with a severity rating will no longer receive a separate CVSS score from NIST, the agency said. 

While the agency remains the ultimate authority providing a government-backed catalog of vulnerability assessments, it acknowledged these changes will affect its users.

“This risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community,” the agency said. “By evolving the NVD to meet today’s challenges, we can ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities.”

The post NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities appeared first on CyberScoop.