NIST Shifts NVD Enrichment to High-Risk Vulnerabilities Only
The National Institute of Standards and Technology (NIST) has announced a significant policy change to how it manages the National Vulnerability Database (NVD): effective April 15, the agency will no longer assign severity scores or provide enriched analysis for vulnerabilities it deems lower priority. The decision, driven by an overwhelming and still-accelerating volume of CVE submissions, marks a formal acknowledgment of a backlog problem that security professionals had already noticed since 2024.
NIST is a non-regulatory federal agency, and its NVD has long served as the authoritative public source for enriched vulnerability data — going beyond raw CVE identifiers to include severity ratings, affected product lists, weakness classifications, and links to patches and advisories. That level of detail, layered on top of identifiers assigned by CVE Numbering Authorities (CNAs) such as software vendors and the not-for-profit MITRE Corporation, is what makes the NVD practically usable for risk management across the security industry.
What Triggered the Policy Change
According to NIST, the volume of CVE submissions has grown by 263% in recent years and continued to accelerate through 2026. The agency processed and enriched approximately 42,000 CVEs in 2025, but that pace is no longer sustainable given the sheer number of new entries arriving each year. Rather than let enrichment quality degrade across the board, NIST has opted to concentrate its analytical resources on the vulnerabilities that pose the greatest systemic risk.
The backlog and enrichment delays had been visible to practitioners for some time. Security researchers and vendors observed that many CVE entries were sitting in the NVD without the additional context — severity scores, Common Platform Enumeration data, Common Weakness Enumeration tags — that organizations rely on for triage and patch prioritization. The new policy makes official what had already become an informal reality.
Which Vulnerabilities Will Still Receive Full Analysis
NIST stated that it will continue to provide complete enrichment only for CVEs that satisfy at least one of three specific criteria:
- The vulnerability appears in CISA's Known Exploited Vulnerabilities (KEV) catalog
- The flaw affects software used by the U.S. federal government
- The vulnerability involves critical software as defined under Executive Order 14028
All other submitted CVEs will still be listed in the NVD, but they will carry a status of "Not Scheduled" — meaning NIST will not augment them beyond what the originating CNA provided. In practice, this means the severity score visible on many of these entries will come solely from the CNA that evaluated and submitted the vulnerability, rather than from an independent NIST analysis.
The Trade-Off: Breadth vs. Depth
NIST acknowledged directly that the new framework creates a blind spot. Some high-impact vulnerabilities could fall outside all three priority categories and therefore receive no enrichment, even if they present serious risk to affected organizations. The agency addressed this limitation by opening an email channel for enrichment requests: stakeholders who believe a deprioritized CVE warrants closer attention can contact NIST at nvd@nist.gov.
"This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories." — NIST
The distinction NIST is drawing is between localized impact — a vulnerability that could seriously harm a specific organization or niche product — versus systemic risk, meaning flaws that could be weaponized at scale across critical infrastructure, federal networks, or widely deployed commercial software.
Implications for Security Practitioners
The NVD is used universally across the security ecosystem. Security researchers, software vendors, government agencies, IT professionals, and even journalists and end users routinely query it when assessing specific vulnerabilities. The database's strength has always been its independence and completeness — a neutral, government-backed layer of analysis that could be trusted when vendor-supplied CNA scores might carry inherent bias or inconsistency.
With NIST stepping back from enriching non-priority CVEs, organizations will need to adapt their vulnerability management workflows. For flaws that land in the "Not Scheduled" bucket, teams will have to rely more heavily on CNA-supplied data, third-party intelligence feeds, and internal risk assessments to determine the severity and urgency of patching. Security vendors that maintain their own vulnerability databases and scoring engines may see increased demand as a result.
The policy also raises questions about how smaller organizations — those without the resources to subscribe to premium threat intelligence services — will handle the gap. The NVD has historically been a free, accessible equalizer in vulnerability data. A reduced scope of enrichment could disproportionately affect teams that depend on it as a primary reference.
What Comes Next
NIST has not indicated that the policy is temporary or that it plans to hire additional analysts to restore full enrichment coverage. The agency framed the change as a deliberate prioritization strategy rather than a stopgap measure. Given that submission volumes show no sign of slowing, the "Not Scheduled" category is likely to grow, not shrink, in the months ahead.
Organizations are advised to review their vulnerability management processes now, identify which data sources they will rely on for non-priority CVEs, and consider whether the email request pathway at nvd@nist.gov is a viable option for specific cases where they believe a deprioritized flaw deserves NIST's attention.
Source: BleepingComputer