editorially independent. We may make money when you click on links
to our partners.
Learn More
The National Institute of Standards and Technology (NIST) is narrowing how it analyzes and scores software vulnerabilities, citing a sharp increase in submissions that has made it difficult to keep pace.
“For years, security teams relied on NVD for vulnerability context to support prioritization decisions. But that model is under real strain,” said Ian Gray, VP of Intelligence at Flashpoint in an email to eSecurityPlanet.
He added, “CVE submissions have grown 263% between 2020 and 2025, and NIST can no longer keep pace by enriching everything.”
NIST Changes to NVD Explained
NIST maintains the National Vulnerability Database (NVD), which enhances MITRE’s CVE system with CVSS scores, affected product details, and links to advisories and patches.
This enrichment has helped security teams prioritize remediation efforts by making raw vulnerability data more actionable.
Surge in Vulnerability Disclosures
However, as vulnerability disclosures continue to surge, NIST is adjusting how it allocates its resources.
According to the agency, submission volumes have increased by more than 260% in recent years and are still rising into 2026.
While NIST enriched roughly 42,000 vulnerabilities in 2025, it noted that maintaining the same level of detailed analysis for every new CVE is no longer sustainable at current volumes.
New NVD Prioritization Criteria
Under a new prioritization approach that took effect Apr. 15, NIST will focus its enrichment efforts on a narrower set of high-impact vulnerabilities.
This includes those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, vulnerabilities affecting U.S. federal systems, and issues tied to critical software identified under Executive Order 14028.
For these cases, NIST will continue providing full analysis, including standardized severity scoring and product mapping.
What “Not Scheduled” Means for CVEs
All other vulnerabilities will still be published in the NVD but may no longer receive the same level of enrichment.
Instead, they will rely primarily on severity scores and details provided by the originating CVE Numbering Authority (CNA), such as a vendor or security organization.
These entries may be labeled as “Not Scheduled” for further NIST analysis, meaning they could lack consistent CVSS scoring or additional technical context from NIST.
Challenges for Security Teams
This shift could introduce challenges for organizations that depend on NVD data for vulnerability management, particularly when assessing risk across large or complex environments.
CNA-provided data can vary in quality and depth, which may require security teams to spend more time validating and supplementing vulnerability information.
NIST acknowledged these limitations and noted that some impactful vulnerabilities may fall outside its prioritization criteria.
To help address gaps, the agency has introduced a process for requesting additional analysis on specific CVEs, allowing organizations to seek enrichment when needed.
How to Adapt to NVD Changes
Security teams may need to adjust how they triage and prioritize vulnerabilities in light of reduced NVD enrichment. Recommended steps include:
- Rely more heavily on vendor advisories and CNA-provided data when NVD enrichment is unavailable.
- Incorporate threat intelligence sources, such as exploitation data and KEV listings, into prioritization workflows.
- Standardize internal scoring models to supplement or validate inconsistent external severity ratings.
- Automate vulnerability management processes to handle higher data volume and variability.
- Monitor for vulnerabilities affecting critical assets, even if they are not prioritized by NIST.
- Validate and cross-reference vulnerability data across multiple sources to reduce blind spots.
- Test incident response plans to ensure readiness for vulnerabilities that may lack complete public context.
Collectively, these steps help organizations build resilience and reduce exposure by strengthening visibility and decision-making across vulnerability data sources.
Why Vulnerability Management Is Getting Harder
NIST’s move reflects a broader trend in cybersecurity: the growing challenge of scale.
As vulnerability disclosures continue to rise — driven in part by AI-assisted discovery techniques and automated research — centralized resources like the NVD are under increasing pressure to balance completeness with usability.
At the same time, AI is lowering the barrier for attackers to identify and potentially exploit weaknesses more quickly, further compressing response timelines.
As prioritization becomes necessary, more responsibility shifts to individual organizations to interpret and act on incomplete or inconsistent data.
It also reinforces the need for context-driven vulnerability management, where decisions are based not just on external severity scores, but also on asset criticality, exploitability, and real-world threat activity.
This shift highlights the value of zero trust solutions, which help organizations limit exposure and enforce consistent access controls even as vulnerability management becomes more complex and decentralized.
