The U.S. National Institute of Standards and Technology (NIST) has announced a fundamental shift in how the National Vulnerability Database (NVD) will operate. Starting in April 2026, NVD will provide full analytical “enrichment” only for prioritized CVE records, while all other vulnerabilities will remain in the database with minimal data and a new “Not Scheduled” status.
Why NIST is changing the National Vulnerability Database model
The key driver behind this reform is the explosive growth in the number of published vulnerabilities. According to NIST, from 2020 to 2025 the volume of CVE entries increased by approximately 263%. In the first quarter of 2026 alone, incoming CVE submissions grew by about one third compared to the same period a year earlier.
Even with expanded internal processes, NIST has reached its operational limits. In 2025, analysts enriched nearly 42,000 CVE records—a 45% increase over any previous year. Yet this is still not enough: manually classifying, scoring, and contextualizing every vulnerability has become unsustainable at current volumes.
In the NVD context, “enrichment” means adding critical metadata to a CVE: CVSS severity scores, affected products and versions (CPE data), detailed descriptions, references, and other contextual information used by security teams to prioritize remediation and risk mitigation.
New NVD prioritization model and the “Not Scheduled” CVE status
From April 2026, NIST will enrich only priority CVEs that meet at least one of a set of defined criteria. The full criteria are documented by NIST, but the intent is clear: focus limited analytical capacity on vulnerabilities with the greatest potential security impact.
All other CVE entries will be assigned the status “Not Scheduled”. These vulnerabilities will still appear in NVD, but only with the basic information from the original CVE record, without NIST-added CVSS scoring, product mappings, or extended analysis.
Importantly, NIST will no longer recalculate severity scores when a CVE Numbering Authority (CNA)—such as a vendor or coordinating CNA—has already supplied a CVSS score. In practice, this shifts more weight onto the assessments provided directly by software vendors and authorized CNAs, with fewer independent adjustments from NVD.
NIST also clarified that unprocessed CVEs from the existing backlog, with publication dates before 1 March 2026, will be moved to “Not Scheduled”, except for vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog. Previously enriched CVEs will be re-analyzed only when there are substantial data changes. Organizations can still request enrichment of a specific CVE by emailing [email protected], although this is not guaranteed to result in full analysis.
Impact on vulnerability management and risk assessment
The emergence of a large volume of “Not Scheduled” CVEs means that many vulnerabilities will no longer benefit from centralized NIST analysis. For organizations that have historically treated NVD as their primary or even sole authoritative vulnerability source, this change introduces additional uncertainty and operational overhead.
Without standardized NVD enrichment—detailed descriptions, affected product mappings, and normalized CVSS scores—security teams will be forced to perform more in-house analysis or rely on alternative feeds such as commercial threat intelligence, industry ISACs, or vendor advisories.
Dependence on CVSS and CNA-provided data
By ceasing to recalculate CVSS scores where a CNA has already assigned one, NIST effectively endorses vendor and CNA scoring as the primary severity reference. While this can speed up data availability, it may also amplify inconsistencies in how different vendors interpret and apply CVSS, and it reduces a layer of independent normalization that many organizations quietly benefited from.
Industry response and the shift toward exploitability and KEV
The security community’s reaction has been mixed. Caitlin Condon, Vice President of Research at VulnCheck, noted that the move was not unexpected but significantly complicates operations for teams that built vulnerability management processes around NVD as a single source of truth. VulnCheck’s analysis suggests that around 10,000 vulnerabilities from 2025 still lack a CVSS score, and only about 32% of CVE-2025 entries have been fully enriched.
David Lindner, CISO at Contrast Security, called this shift “the end of an era when defenders could rely on a single database for risk assessment.” He argues that organizations should increasingly rely on the KEV catalog and exploitability metrics so that teams focus on vulnerabilities that are actively used in attacks, not just those that look severe on paper.
How security teams should adapt to NVD changes
Use multiple vulnerability intelligence sources
Vulnerability management programs should be redesigned to avoid dependence on NVD alone. In addition to NVD, organizations should systematically consume data from the CISA KEV catalog, vendor security advisories, industry information-sharing centers (ISACs), open-source intelligence projects, and commercial threat intelligence feeds.
Prioritize exploitability, exposure, and business context
Risk assessment must go beyond a single CVSS score. A modern prioritization model should account for exploitability in the wild, public exploit availability, the exposure of affected systems (internet-facing vs. internal), and the criticality of impacted business processes. This helps security teams make informed decisions even when some CVEs are marked as “Not Scheduled” in NVD.
Invest in automation and accurate asset inventory
As the number of unevaluated CVEs grows, maintaining an up-to-date asset inventory becomes essential. Automated tools that map vulnerabilities to specific assets, software versions, and environments enable teams to rapidly determine which new CVEs are truly relevant to their infrastructure and which can be safely de-prioritized.
NIST’s transition to a prioritized NVD enrichment model reflects both the maturity and the overload of today’s vulnerability ecosystem. For organizations, this is a clear signal to modernize vulnerability management: diversify data sources, strengthen internal analysis capabilities, and shift prioritization toward real-world threat activity and business impact. Teams that adapt early to this new reality will be better positioned to maintain resilient, defensible infrastructures in an environment where vulnerabilities are growing faster than any single database can fully process.
