The National Institute of Standards and Technology (NIST) has announced key updates to its National Vulnerability Database (NVD) operations. These changes are designed to enhance the processing and enrichment of Common Vulnerabilities and Exposures (CVEs) in response to the escalating number of submissions.
Adopting a Risk-Based CVE Enrichment Model
NIST has shifted to a risk-based approach for CVE enrichment, a process aimed at adding detailed information to vulnerabilities. Historically, the institute endeavored to enrich all submitted CVEs, but the influx of new entries has made this increasingly challenging. The updated strategy will prioritize enriching CVEs listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog and those related to critical software used by federal agencies.
This change is a response to a significant surge in CVE submissions, which have increased by 263% between 2020 and 2025. NIST anticipates that this upward trend will persist, with the first quarter of 2026 already showing a one-third increase over the previous year.
Focus on Critical and Federal Software Vulnerabilities
Under the new guidelines, CVEs meeting specific criteria will receive priority enrichment status within one day of submission. This includes vulnerabilities categorized under CISA’s KEV and those affecting critical software as defined by Executive Order 14028. CVEs that do not meet these criteria will be marked as ‘Not Scheduled’ for enrichment, although detailed information can still be requested by users via email.
Despite enriching 42,000 CVEs last year, NIST continues to face a backlog of unenriched entries. The adjustments will allow the institute to concentrate on vulnerabilities that pose the most significant systemic risks.
Implications of New Prioritization Criteria
The implementation of these new criteria means that any unenriched CVEs published before March 1, 2026, will be moved to the Not Scheduled category. Furthermore, NIST will not assign its own severity scores to CVEs if a CVE Numbering Authority has already provided one. Reanalysis will only occur if subsequent changes materially affect the enrichment data.
To improve communication and transparency, NIST will update CVE status labels and descriptions. This risk-based model is essential for managing the increased CVE submissions while ensuring alignment with the needs of the NVD community. The changes also facilitate the development of automated systems and workflow improvements to sustain the program long-term.
NIST acknowledges the impact of these adjustments on users but emphasizes the necessity of this strategic shift to manage its workload effectively and enhance the NVD’s capabilities.
