The National Institute of Standards and Technology (NIST) has revised its approach to handling cybersecurity vulnerabilities listed in its National Vulnerability Database (NVD). This change comes in response to a significant increase in vulnerability submissions, which have surged by 263% from 2020 to 2025. Under the new guidelines, only vulnerabilities that meet specific criteria will be enriched by NIST.
New Criteria for CVE Enrichment
As of April 15, 2026, NIST has established a set of criteria for prioritizing CVE enrichment. Vulnerabilities included in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, those used within the federal government, and critical software vulnerabilities as defined by Executive Order 14028 are prioritized. The goal of these criteria is to focus enrichment efforts on vulnerabilities with the greatest potential for widespread impact.
Vulnerabilities that do not meet these criteria will be categorized as “Not Scheduled” for enrichment, although they will still be listed in the NVD. This decision reflects a need to manage resources effectively amidst a growing volume of vulnerabilities requiring attention.
Implications for Security Research
NIST’s announcement highlights the challenges posed by the increasing volume of vulnerabilities. In the first quarter of 2026 alone, submissions were nearly a third higher than the same period last year. Despite these challenges, NIST managed to enrich approximately 42,000 CVEs in 2025, marking a 45% increase compared to previous years.
Security researchers and organizations relying on NIST as a primary source for CVE data may need to adjust their strategies. While high-impact CVEs that are initially unscheduled can be requested for enrichment via email, the new approach prioritizes vulnerabilities that pose systemic risks over those with isolated impacts.
Future Outlook in Cybersecurity Management
The changes instituted by NIST reflect a broader shift towards a risk-based approach in vulnerability management. Caitlin Condon from VulnCheck emphasized the need for distributed and machine-speed solutions to address today’s complex threat landscape. Additionally, David Lindner of Contrast Security noted that organizations must now focus more on actionable intelligence rather than sheer volume of data.
As the cybersecurity field evolves, entities must adapt to a proactive risk management strategy. By concentrating on the most critical vulnerabilities and leveraging threat intelligence, the industry can enhance its resilience against cyber threats. This approach not only aligns with current technological advancements but also addresses the interconnected nature of global cybersecurity challenges.
