The National Institute of Standards and Technology (NIST) has officially restructured its National Vulnerability Database (NVD) operations, shifting to a risk-based model that reserves full CVE enrichment only for the most critical vulnerabilities, in response to a staggering 263% surge in CVE submissions between 2020 and 2025.
Effective April 15, 2026, NIST’s landmark policy change redefines how the cybersecurity community should think about vulnerability data completeness, severity scoring, and patch prioritization.
CVE Submissions Overwhelm NVD
For years, the NVD has served as the backbone of vulnerability management programs across government agencies, enterprises, and security vendors worldwide. But the sheer volume of CVE disclosures has finally outpaced NIST’s capacity to keep up.
CVE submissions exploded by 263% between 2020 and 2025, and the trend shows no signs of slowing. Submissions in the first quarter of 2026 alone were nearly one-third higher than the same period last year, a record-breaking pace that no manual enrichment workflow could sustainably absorb.
Despite NIST enriching nearly 42,000 CVEs in 2025, a 45% increase over any prior year, the agency acknowledged it could not close the growing gap between submissions and analyzed entries.
The result is a mounting backlog of unenriched vulnerabilities that leave security teams working with incomplete data, missing severity scores, and absent product enumeration lists.
New Prioritization Criteria
Starting April 15, 2026, NIST will focus its enrichment resources on three clearly defined categories of CVEs.
- CISA’s Known Exploited Vulnerabilities (KEV) Catalog – NIST targets enrichment within one business day of receipt, recognizing these as active threats already being weaponized in the wild
- CVEs affecting software used within the U.S. federal government – ensuring national infrastructure and government supply chains maintain current, actionable vulnerability intelligence
- CVEs for critical software defined under Executive Order 14028 – this covers software running with elevated privileges, managing access to networking or computing resources, controlling operational technology, or operating outside normal trust boundaries
CVEs that fall outside these three categories will still be listed in the NVD but will be labeled “Lowest Priority not scheduled for immediate enrichment.”
While NIST acknowledges these vulnerabilities may have a significant impact on affected systems, the agency states they generally do not present the same level of systemic risk as those in the prioritized categories.
NIST Steps Back from Duplication
One of the more significant operational changes involves NIST’s long-standing practice of independently scoring CVEs even when the submitting CVE Numbering Authority (CNA) had already provided a severity score.
In the future, NIST will no longer routinely generate a separate CVSS severity score when the CNA has already submitted one.
The agency frames this as eliminating duplication of effort and freeing analyst bandwidth for higher-priority work. Critics, however, note that NIST’s independent scores often provided an important cross-validation check against vendor-submitted scores.
which can occasionally reflect commercial bias or incomplete impact analysis. Users who require NIST’s independent assessment of a specific CVE’s severity can still request it via email.
Perhaps the most consequential operational change is how NIST handles the existing backlog. All unenriched CVEs with an NVD publication date earlier than March 1, 2026, will be moved to the “Not Scheduled” category.
NIST will only consider addressing these earlier vulnerabilities on a request basis, as resources allow, and even then, only if they meet the new prioritization criteria. The backlog does not affect CVEs already cataloged in CISA’s KEV list, which have always been prioritized.
Additionally, NIST has updated its policy on re-analyzing modified CVEs. Previously, the agency would re-analyze all CVEs that had been updated after initial enrichment.
Now, re-analysis will only occur when a modification materially impacts the enrichment data at a narrower, more deliberate threshold.
This policy shift carries direct operational implications for vulnerability management programs, particularly those that rely heavily on NVD data for automated, CVSS-based patching workflows.
Security teams that depend on NVD completeness for risk scoring engines, asset vulnerability dashboards, or compliance frameworks should expect gaps in enrichment data for any CVE outside the three priority categories.
Organizations will need to cross-reference multiple intelligence sources, including vendor advisories, CISA KEV updates, and commercial threat intelligence feeds, to compensate for the NVD’s reduced coverage scope.
NIST has updated the NVD Dashboard to reflect real-time CVE status, including the new “Lowest Priority,” “Not Scheduled,” and “Modified After Enrichment” labels, giving users at least greater visibility into what data is and is not available.
The agency has framed the entire overhaul as a foundation for long-term sustainability, with plans to develop automated enrichment systems and workflow enhancements that could eventually restore broader coverage.
Until those systems are operational, however, the cybersecurity community enters a new era where the world’s most authoritative vulnerability database is, by design, selectively incomplete.
Frequently Asked Questions
Q1. What is NIST’s new CVE enrichment policy effective April 15, 2026?
NIST now enriches only CVEs in CISA’s KEV catalog, federal software, and critical software under Executive Order 14028; all others are labeled “Not Scheduled.”
Q2. Why did NIST change how it handles NVD vulnerability data?
CVE submissions surged 263% between 2020 and 2025, making full enrichment of every submission operationally unsustainable for NIST’s analyst team.
Q3. Will unenriched CVEs still appear in the National Vulnerability Database?
Yes, all submitted CVEs will still be listed in the NVD, but low-priority entries will lack severity scores, product lists, and other enrichment metadata.
Site: http://thecybrdef.com
About the Author
