NIST Acknowledges It Cannot Keep Up With the Vulnerability Flood
The National Institute of Standards and Technology, the federal agency responsible for cataloging and analyzing cybersecurity vulnerabilities, has officially acknowledged that it can no longer keep pace with the relentless growth of newly reported defects. On Wednesday, NIST announced a significant narrowing of its analysis priorities for the National Vulnerability Database (NVD), effectively triaging which vulnerabilities will receive the agency's full analytical attention going forward.
The move represents a formal capitulation to the sheer volume of Common Vulnerabilities and Exposures (CVEs) being submitted each year — a number that has exploded in recent years and shows no sign of slowing down.
What NIST Will and Won't Prioritize
Under the new approach, NIST will focus its enrichment efforts on three specific categories of CVEs:
- Vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog
- Software actively used within the federal government
- Critical software as defined under Executive Order 14028
CVEs that fall outside these categories will still appear in the NVD, but they will not automatically receive additional enrichment metadata. As NIST stated in its blog post announcing the change:
"This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories."
A Surge in Submissions the Agency Cannot Absorb
The numbers behind NIST's decision are stark. The agency reported analyzing nearly 42,000 vulnerabilities in 2024, and CVE submissions have surged an extraordinary 263% from 2020 to 2025. The pace is not letting up — submissions in the first three months of 2026 are nearly one-third higher than during the same period in 2025, according to NIST.
The broader vulnerability landscape reflects this trend. On Tuesday, Microsoft addressed 165 vulnerabilities in a single patch cycle — its second-largest monthly batch of security defects on record — underscoring just how aggressively the attack surface is expanding across the industry.
Background: A Funding Lapse That Made Things Worse
NIST's current predicament was compounded by a funding lapse in early 2024, which forced the agency to temporarily halt the provision of key metadata for many vulnerabilities in the database. That pause created a backlog of unenriched CVEs that the agency has still not fully cleared — and which has continued to grow in the time since. The new prioritization framework is designed to help NIST achieve long-term sustainability and stabilize the NVD program rather than perpetually chase an ever-expanding backlog.
Industry Experts: The Change Was Inevitable
Vulnerability researchers and threat analysts largely view NIST's new direction as an unavoidable course correction. Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, put it bluntly when speaking to CyberScoop:
"They had to do something. NIST was woefully behind on classifying CVEs and would likely never have caught up. I'm not sure if it was a herculean task or a sisyphean one, but either way, they were set up for failure under their previous system. This change allows them to prioritize their work."
The sentiment is shared by others in the vulnerability intelligence space. Caitlin Condon, vice president of security research at VulnCheck, previously noted to CyberScoop that prioritization has long been a problem, with too many defenders wasting attention on vulnerabilities that pose little real-world risk.
VulnCheck's own data reinforces this point: of the more than 40,000 newly published vulnerabilities the firm cataloged last year, only 1% — just 422 defects — were actually exploited in the wild. That stark ratio highlights the challenge defenders face in determining where to focus limited resources.
Shifting Authority Toward the Private Sector
NIST's scaling back of direct analysis will have ripple effects throughout the broader vulnerability research ecosystem. With the agency pulling back, private companies and organizations are increasingly positioned to fill the gap, giving CVE Numbering Authorities (CNAs) and vendors who publish their own assessments greater de facto authority in the eyes of defenders seeking reliable information.
In a related change, NIST also announced that CVEs submitted with an existing severity rating will no longer receive a separate CVSS score from NIST. This is intended to reduce duplicated effort and lean more heavily on the assessments already provided by CNAs.
NIST's Stated Goal: A Sustainable, Reliable Database
Despite the narrowing of scope, NIST emphasized that the NVD will remain a publicly available and government-backed resource. The agency framed the changes as a necessary evolution rather than a retreat:
"This risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community. By evolving the NVD to meet today's challenges, we can ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities."
Whether these changes will be enough to restore confidence in the NVD as a timely and comprehensive resource remains to be seen. But for an agency grappling with exponential growth in the very data it is charged with managing, narrowing the aperture may be the only viable path forward.
Source: CyberScoop