The U.S. National Institute of Standards and Technology (NIST) has announced a radical change to how the National Vulnerability Database (NVD) processes Common Vulnerabilities and Exposures (CVE) records. From now on, full enrichment of CVEs in NVD—such as CVSS scoring, categorization, and additional analysis—will be reserved only for vulnerabilities that meet defined priority criteria. All other CVEs will still appear in the NVD but may lack detailed, NIST‑provided enrichment.
NIST Moves NVD to Risk‑Based Vulnerability Prioritization
NIST directly links this shift to the explosive growth in published vulnerabilities. According to the institute, the volume of incoming CVE records has increased by 263% between 2020 and 2025, with no sign of slowing. In 2025 alone, NIST enriched almost 42,000 CVE entries, roughly 45% more than in any previous year.
The workload continues to accelerate: in the first quarter of 2026, the number of new CVEs was nearly one third higher than in the same period of the prior year. Under these conditions, the traditional model of “enrich every CVE in detail” has become operationally unsustainable, even for a well‑resourced organization such as NIST.
As of 15 April 2026, NVD now operates on a risk‑based prioritization model, concentrating analyst effort on vulnerabilities with the highest potential for systemic impact and large‑scale exploitation.
How the New NVD CVE Prioritization Model Works
Under the updated policy, NIST prioritizes full enrichment for CVEs that:
- can plausibly lead to widespread incidents or multi‑stage attack chains;
- affect widely deployed software, libraries, or platforms;
- pose a significant national or global cybersecurity risk.
CVE records that do not meet these thresholds are now marked as “Not Scheduled”, meaning they are not currently planned for enrichment. They remain visible in the NVD, but without guaranteed CVSS scores, weakness classifications, or extended analytical context.
NIST emphasizes that a “Not Scheduled” flag does not mean a vulnerability is harmless. Such flaws can still be critical for specific environments or sectors but are assessed as having a lower systemic risk compared to higher‑priority CVEs.
Manual Enrichment Requests for High‑Impact CVEs
To address cases where a non‑prioritized CVE is operationally critical to a particular organization, NIST has introduced a manual request process. Security teams can contact NVD via nvd@nist[.]gov to request enrichment of a specific CVE that is currently marked “Not Scheduled”. Each request will be reviewed individually and, if accepted, placed into the enrichment queue.
Data Gaps, CVSS Scoring, and Industry Concerns
Even before this policy change, gaps were emerging. According to analysis by VulnCheck, by the end of 2025 roughly 10,000 vulnerabilities still lacked a CVSS score. Researchers estimate that NIST enriched around 14,000 CVE‑2025 records, representing only about 32% of all vulnerabilities disclosed in 2025, despite the overall count of enriched CVEs (across multiple years) hitting record levels.
Industry experts note that this confirms a long‑standing trend: fully manual enrichment of every new CVE is no longer viable. With modern threat landscapes and the sheer scale of disclosures, effective vulnerability management increasingly depends on distributed, automated, and machine‑speed processes for both discovery and prioritization.
This shift has direct implications for tools and auditors that historically relied on NVD’s CVSS scores as a primary risk signal. Organizations may now face more “unscored” CVEs in their scanning results and must be ready to apply their own risk models or integrate scoring from alternative sources.
What NIST’s NVD Changes Mean for Vulnerability Management
For many security teams, NVD has long served as the primary “single source of truth” for vulnerability data. By focusing on high‑impact vulnerabilities, NIST effectively ends the era when one centralized government database could be treated as a complete, fully enriched catalog of all CVEs.
Security practitioners and auditors will need to transition more decisively to risk‑driven, threat‑intelligence‑led vulnerability management. Several practical guidelines emerge from this shift:
- Prioritize the CISA Known Exploited Vulnerabilities (KEV) catalog, which lists vulnerabilities confirmed as actively exploited in the wild.
- Supplement CVSS with exploitability and context‑based metrics (for example, exploit availability, exposure of affected assets, and business criticality), instead of relying on numerical scores alone.
- Correlate data from multiple sources: NVD, vendor advisories, commercial vulnerability feeds, threat intelligence platforms, and sector ISACs.
Recommended Actions for Security and Audit Teams
To adapt to the new NVD reality, organizations should:
- Implement asset‑centric vulnerability management, linking CVEs to specific systems, business services, and data sensitivity.
- Introduce automated risk scoring that can ingest NVD data, CISA KEV entries, and other feeds to dynamically reprioritize remediation.
- Define clear policies for handling CVEs without NVD CVSS scores, including internal scoring procedures or use of third‑party ratings.
- Ensure audit and compliance frameworks are updated to reflect the fact that not all CVEs will have NVD‑issued enrichment.
The evolution of NVD from exhaustive manual coverage to a curated, risk‑based model reflects a broader maturation of the cybersecurity ecosystem. In a world where attackers already operate at machine speed, resilience depends less on tracking every minor flaw and more on rapidly mitigating the vulnerabilities that truly matter. Organizations that modernize their vulnerability management, invest in automation, and build strong threat intelligence capabilities will be best positioned to thrive under NIST’s new NVD paradigm.
