[{"data":1,"prerenderedAt":102},["ShallowReactive",2],{"article-slug-nist-overhauls-nvd-program-citing-overwhelming-vulnerability-volume":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":67,"mitre_techniques":74,"mitre_mitigations":75,"d3fend_countermeasures":76,"iocs":77,"cyber_observables":78,"tags":79,"extract_datetime":86,"article_type":87,"impact_scope":88,"pub_date":50,"reading_time_minutes":101,"createdAt":86,"updatedAt":86},"658c4890-f861-4cf2-a7c4-5c71923c5404","nist-overhauls-nvd-program-citing-overwhelming-vulnerability-volume","NIST Overhauls NVD, Will No Longer Enrich All CVEs Amidst 'Unsustainable' Surge in Reports","NIST Announces Major Shift in NVD Program, Prioritizing CVE Enrichment for Critical and Exploited Vulnerabilities","The U.S. National Institute of Standards and Technology (NIST) has announced a significant policy change for its National Vulnerability Database (NVD). Citing an unsustainable surge in vulnerability submissions, NIST will no longer provide detailed analysis for every CVE. Instead, it will prioritize enriching vulnerabilities listed in CISA's KEV catalog and those affecting U.S. federal government software. This move will create a large backlog of 'Not Scheduled' CVEs without CVSS scores or product information, forcing security teams to re-evaluate their vulnerability management programs.","## Executive Summary\nThe U.S. **[National Institute of Standards and Technology (NIST)](https://www.nist.gov)** has announced a fundamental change to its management of the **[National Vulnerability Database (NVD)](https://nvd.nist.gov/)**, a cornerstone of global vulnerability management programs. Effective April 15, 2026, **[NIST](https://www.nist.gov)** will no longer attempt to \"enrich\" every submitted Common Vulnerability and Exposure (CVE) with metadata like CVSS scores, CWEs, and CPEs. Citing an exponential growth in submissions that has overwhelmed its resources, the agency is shifting to a risk-based triage model. This policy change has immediate and significant implications for cybersecurity professionals, who must now adapt their vulnerability management processes and seek alternative sources for the data that **[NIST](https://www.nist.gov)** will no longer universally provide.\n\n---\n\n## Regulatory Details\nUnder the new policy, **[NIST](https://www.nist.gov)** will focus its analysis and enrichment efforts on a prioritized subset of vulnerabilities. The criteria for prioritization include:\n\n1.  **CISA's Known Exploited Vulnerabilities (KEV) Catalog:** CVEs that are confirmed to be actively exploited in the wild will be prioritized, with a goal of enrichment within one business day of being added to the KEV.\n2.  **U.S. Federal Government Software:** Vulnerabilities affecting software used by U.S. federal agencies.\n3.  **Critical Software:** Flaws in software designated as \"critical\" under Executive Order 14028 on Improving the Nation's Cybersecurity.\n\nCVEs that do not meet these criteria will be placed in a \"Not Scheduled\" state within the **[NVD](https://nvd.nist.gov/)**. These entries will exist as placeholders with a CVE ID and basic description but will lack the crucial enriched data (CVSS, CPE, CWE) that automated scanners and security teams rely on for risk assessment and prioritization.\n\n## Affected Organizations\nThis policy change affects virtually every organization worldwide that conducts vulnerability management. This includes:\n-   Enterprises of all sizes that use vulnerability scanners and management platforms.\n-   Security vendors whose products integrate with and rely on **[NVD](https://nvd.nist.gov/)** data.\n-   Managed Security Service Providers (MSSPs).\n-   Independent security researchers and consultants.\n\n## Implementation Timeline\nThe new policy took effect immediately on **April 15, 2026**. **[NIST](https://www.nist.gov)** also announced it would retroactively move all unenriched CVEs published before March 1, 2026, into the \"Not Scheduled\" category to address its current backlog.\n\n## Impact Assessment\nThe operational impact on security teams will be substantial. The lack of universal enrichment means:\n-   **Increased Manual Effort:** Analysts will need to manually research \"Not Scheduled\" vulnerabilities to determine their severity, applicability, and impact, a time-consuming and resource-intensive task.\n-   **Broken Automations:** Automated vulnerability management workflows that depend on CVSS scores or CPE data from the **[NVD](https://nvd.nist.gov/)** will fail or produce incomplete results for a growing number of CVEs.\n-   **Rise of Commercial Intelligence:** Organizations will become more reliant on commercial threat intelligence feeds and vulnerability database providers to fill the gap left by **[NIST](https://www.nist.gov)**.\n-   **Inconsistent Risk Scoring:** Without a central, authoritative source for CVSS scores, different organizations and vendors may assign different scores to the same vulnerability, leading to inconsistent prioritization.\n\n## Enforcement & Penalties\nThis is a policy change by a government agency, not a regulation with penalties. The \"enforcement\" is the reality that the **[NVD](https://nvd.nist.gov/)** will no longer be the all-encompassing resource it once was.\n\n## Compliance Guidance\nOrganizations should take the following steps to adapt to the new reality:\n\n1.  **Review Vulnerability Management Programs:** Immediately assess your organization's reliance on **[NVD](https://nvd.nist.gov/)** data for automated scoring and prioritization. Identify all tools and processes that will be impacted.\n2.  **Identify Alternative Data Sources:** Investigate and onboard alternative sources for vulnerability intelligence. This may include commercial providers (e.g., Snyk, VulnDB), vendor-specific security advisories, and open-source intelligence (OSINT) communities.\n3.  **Develop a Triage Process for Unenriched CVEs:** Create a standard operating procedure (SOP) for handling \"Not Scheduled\" CVEs. This process should define how to manually research a CVE, assign an internal severity score, and determine its relevance to your environment.\n4.  **Leverage Multiple Factors for Prioritization:** Shift from a purely CVSS-based prioritization model to one that incorporates other factors, such as exploitability (e.g., CISA KEV, Exploit-DB), asset criticality, and network location.","Major shift for vulnerability management: NIST will no longer enrich all CVEs in the NVD due to overwhelming volume. 📢 Focus will be on critical & exploited flaws. Time to re-evaluate your VT processes! #NIST #NVD #CVE #CyberSecurity","NIST announces a major policy change for the National Vulnerability Database (NVD), prioritizing CVE enrichment for critical flaws and leaving others unenriched due to a surge in reports.",[13,14,15],"Policy and Compliance","Vulnerability","Security Operations","informational",[18,22,26],{"name":19,"type":20,"url":21},"National Institute of Standards and Technology (NIST)","government_agency","https://www.nist.gov",{"name":23,"type":24,"url":25},"National Vulnerability Database (NVD)","product","https://nvd.nist.gov/",{"name":27,"type":20,"url":28},"Cybersecurity and Infrastructure Security Agency (CISA)","https://www.cisa.gov",[],[31,37,42,47,53,58,63],{"url":32,"title":33,"date":34,"friendly_name":35,"website":36},"https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth","NIST Updates NVD Operations to Address Record CVE Growth","2026-04-15","NIST","nist.gov",{"url":38,"title":39,"date":34,"friendly_name":40,"website":41},"https://therecord.media/nist-nvd-cve-enrichment-changes-april-2026","NIST to limit work on CVE entries as submissions surge","The Record","therecord.media",{"url":43,"title":44,"date":34,"friendly_name":45,"website":46},"https://cyberscoop.com/nist-nvd-cve-analysis-vulnerability/","NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities","CyberScoop","cyberscoop.com",{"url":48,"title":49,"date":50,"friendly_name":51,"website":52},"https://www.securityweek.com/nist-prioritizes-nvd-enrichment-for-cves-in-cisa-kev-critical-software/","NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software","2026-04-16","SecurityWeek","securityweek.com",{"url":54,"title":55,"date":50,"friendly_name":56,"website":57},"https://www.cybersecuritydive.com/news/nist-cve-backlog-vulnerability-enrichment/713337/","NIST limits vulnerability analysis as CVE backlog swells","Cybersecurity Dive","cybersecuritydive.com",{"url":59,"title":60,"date":34,"friendly_name":61,"website":62},"https://siliconangle.com/2026/04/15/nist-shifts-national-vulnerability-database-risk-based-triage-cve-submissions-hit-record-levels/","NIST shifts National Vulnerability Database to risk-based triage as CVE submissions hit record levels","SiliconANGLE","siliconangle.com",{"url":64,"title":65,"date":50,"website":66},"https://www.liltingchannel.com/2026/04/16/nist-nvd-abandons-full-cve-enrichment-shifts-to-priority-triage/","NIST NVD Abandons Full CVE Enrichment, Shifts to Priority Triage","liltingchannel.com",[68,71],{"datetime":69,"summary":70},"2026-04-15T00:00:00Z","NIST announces its new risk-based triage model for NVD enrichment.",{"datetime":72,"summary":73},"2026-03-01T00:00:00Z","NIST designates this as the cutoff date for its existing backlog; CVEs published before this date without enrichment will be moved to 'Not Scheduled'.",[],[],[],[],[],[35,80,81,82,83,84,85],"NVD","CVE","Vulnerability Management","Risk Assessment","CISA KEV","Policy","2026-04-16T15:00:00.000Z","NewsArticle",{"geographic_scope":89,"industries_affected":90,"other_affected":98},"global",[91,92,93,94,95,96,97],"Technology","Government","Finance","Healthcare","Manufacturing","Retail","Education",[99,100],"Vulnerability management professionals","Security vendors",4,1776358273774]