NIST Overhauls NVD, Will No Longer Enrich All CVEs Amidst 'Unsustainable' Surge in Reports

Executive Summary

The U.S. National Institute of Standards and Technology (NIST) has announced a fundamental change to its management of the National Vulnerability Database (NVD), a cornerstone of global vulnerability management programs. Effective April 15, 2026, NIST will no longer attempt to "enrich" every submitted Common Vulnerability and Exposure (CVE) with metadata like CVSS scores, CWEs, and CPEs. Citing an exponential growth in submissions that has overwhelmed its resources, the agency is shifting to a risk-based triage model. This policy change has immediate and significant implications for cybersecurity professionals, who must now adapt their vulnerability management processes and seek alternative sources for the data that NIST will no longer universally provide.

Regulatory Details

Under the new policy, NIST will focus its analysis and enrichment efforts on a prioritized subset of vulnerabilities. The criteria for prioritization include:

1. CISA's Known Exploited Vulnerabilities (KEV) Catalog: CVEs that are confirmed to be actively exploited in the wild will be prioritized, with a goal of enrichment within one business day of being added to the KEV.
2. U.S. Federal Government Software: Vulnerabilities affecting software used by U.S. federal agencies.
3. Critical Software: Flaws in software designated as "critical" under Executive Order 14028 on Improving the Nation's Cybersecurity.

CVEs that do not meet these criteria will be placed in a "Not Scheduled" state within the NVD. These entries will exist as placeholders with a CVE ID and basic description but will lack the crucial enriched data (CVSS, CPE, CWE) that automated scanners and security teams rely on for risk assessment and prioritization.

Affected Organizations

This policy change affects virtually every organization worldwide that conducts vulnerability management. This includes:

• Enterprises of all sizes that use vulnerability scanners and management platforms.
• Security vendors whose products integrate with and rely on NVD data.
• Managed Security Service Providers (MSSPs).
• Independent security researchers and consultants.

Implementation Timeline

The new policy took effect immediately on April 15, 2026. NIST also announced it would retroactively move all unenriched CVEs published before March 1, 2026, into the "Not Scheduled" category to address its current backlog.

Impact Assessment

The operational impact on security teams will be substantial. The lack of universal enrichment means:

• Increased Manual Effort: Analysts will need to manually research "Not Scheduled" vulnerabilities to determine their severity, applicability, and impact, a time-consuming and resource-intensive task.
• Broken Automations: Automated vulnerability management workflows that depend on CVSS scores or CPE data from the NVD will fail or produce incomplete results for a growing number of CVEs.
• Rise of Commercial Intelligence: Organizations will become more reliant on commercial threat intelligence feeds and vulnerability database providers to fill the gap left by NIST.
• Inconsistent Risk Scoring: Without a central, authoritative source for CVSS scores, different organizations and vendors may assign different scores to the same vulnerability, leading to inconsistent prioritization.

Enforcement & Penalties

This is a policy change by a government agency, not a regulation with penalties. The "enforcement" is the reality that the NVD will no longer be the all-encompassing resource it once was.

Compliance Guidance

Organizations should take the following steps to adapt to the new reality:

1. Review Vulnerability Management Programs: Immediately assess your organization's reliance on NVD data for automated scoring and prioritization. Identify all tools and processes that will be impacted.
2. Identify Alternative Data Sources: Investigate and onboard alternative sources for vulnerability intelligence. This may include commercial providers (e.g., Snyk, VulnDB), vendor-specific security advisories, and open-source intelligence (OSINT) communities.
3. Develop a Triage Process for Unenriched CVEs: Create a standard operating procedure (SOP) for handling "Not Scheduled" CVEs. This process should define how to manually research a CVE, assign an internal severity score, and determine its relevance to your environment.
4. Leverage Multiple Factors for Prioritization: Shift from a purely CVSS-based prioritization model to one that incorporates other factors, such as exploitability (e.g., CISA KEV, Exploit-DB), asset criticality, and network location.