The National Institute of Standards and Technology (NIST) has introduced a significant change in its vulnerability management strategy within the National Vulnerability Database (NVD). As of April 15, 2026, NIST is transitioning from a comprehensive analysis method to a targeted, risk-based approach. This move is designed to provide more timely intelligence on high-impact threats, while managing an ever-increasing amount of vulnerability reports.
Reasons Behind the Shift
The decision to adopt a risk-based model stems from a dramatic 263% rise in Common Vulnerabilities and Exposures (CVE) submissions from 2020 to 2025. Despite enhancing productivity by 45% and enriching nearly 42,000 CVEs with severity scores and affected product lists last year, NIST struggled to keep up with the escalating submission rate. In the first quarter of 2026 alone, submissions increased by 33% compared to the previous year.
New Criteria for Prioritization
To navigate this surge, NIST will no longer attempt to enrich every CVE immediately. Instead, the NVD program will focus on vulnerabilities posing the greatest systemic risk. Prioritization will be given to vulnerabilities listed in the CISA’s Known Exploited Vulnerabilities (KEV) Catalog, those affecting software used by federal government agencies, and vulnerabilities involving critical software as outlined in Executive Order 14028.
Submissions outside these parameters will still be published to the NVD but will be labeled as “Lowest Priority” and will not receive immediate enrichment data. Security professionals can request manual analysis by contacting NIST directly.
Operational Adjustments
As part of the new approach, NIST will eliminate redundant efforts in severity scoring. If a CVE Numbering Authority provides a severity score, the NVD will not generate a separate score. Additionally, analysts will only reanalyze modified CVEs if changes significantly impact the core enrichment data.
This streamlined method also addresses the NVD’s processing backlog, which began accumulating in early 2024. Older, unenriched CVEs published before March 1, 2026, have been moved to a “Not Scheduled” category and will be processed gradually as resources permit, based on new risk criteria.
Future Outlook
To maintain transparency, NIST has updated the NVD Dashboard to accurately reflect the real-time status and statistics of all CVEs. By focusing solely on critical vulnerabilities and reducing duplicate administrative tasks, NIST aims to stabilize current operations while working towards the development of automated systems for sustainable long-term management.
Stay informed by following us on Google News, LinkedIn, and X for daily updates on cybersecurity developments. Contact us if you wish to feature your stories.
