NIST Implements Risk-Based Prioritization for National Vulnerability Database Enrichment Amid Record CVE Growth

The National Institute of Standards and Technology (NIST) has officially transitioned to a risk-based prioritization model for the National Vulnerability Database (NVD), signaling a major shift in how the agency manages the overwhelming volume of security flaws reported by researchers and software vendors. Effective April 15, 2026, NIST will only provide full enrichment—including Common Vulnerability Scoring System (CVSS) scores, Common Weakness Enumeration (CWE) classifications, and Common Platform Enumeration (CPE) data—for vulnerabilities that meet specific high-impact criteria. This decision comes as the global cybersecurity community faces an unprecedented surge in Common Vulnerabilities and Exposures (CVE) submissions, which have strained the resources of government-managed databases to their breaking point.

Under the new operational framework, CVEs that do not meet the established thresholds for systemic risk will still be listed within the NVD to ensure a public record exists, but they will remain "unenriched" by NIST staff. These entries will be marked with a "Not Scheduled" status, indicating that the agency does not currently plan to perform the manual analysis required to assign severity scores or affected product mappings. NIST representatives stated that this change is a direct response to a 263% increase in CVE submissions recorded between 2020 and 2025, a trend that has accelerated even further in the opening months of 2026.

The Catalyst for Change: A Decade of Explosive Growth

The decision to scale back enrichment efforts is the culmination of years of mounting pressure on the NVD. Since its inception, the NVD has served as the world’s primary repository for vulnerability metadata, providing the foundational data used by thousands of security scanners, patch management tools, and regulatory compliance frameworks. However, the sheer volume of software being produced, combined with the proliferation of bug bounty programs and automated vulnerability discovery tools, has created a pipeline that NIST can no longer manage manually.

Data released by NIST indicates that the first quarter of 2026 saw submission volumes nearly one-third higher than the same period in 2025. This follows a record-breaking year in 2025, during which NIST enriched approximately 42,000 CVEs—a 45% increase over any previous year in the agency’s history. Despite these heroic efforts to keep pace, the backlog has continued to grow. Security researchers at VulnCheck recently noted that approximately 10,000 vulnerabilities from 2025 still lack a CVSS score, representing nearly 32% of the total CVE population for that year.

NIST’s move toward prioritization is an admission that the "capture-all" enrichment model is no longer sustainable. By focusing on vulnerabilities that present the highest systemic risk to national security, critical infrastructure, and the global digital economy, the agency aims to ensure that the most dangerous threats receive the fastest possible analysis.

Criteria for Prioritization and the "Not Scheduled" Category

The prioritization criteria implemented on April 15 are designed to filter out minor bugs and niche software flaws that, while potentially serious for individual users, do not pose a broad threat to the ecosystem. While NIST has not publicly listed every granular metric used in its internal scoring, the agency has confirmed that the focus will remain on:

1. Exploitation Status: Vulnerabilities known to be actively exploited in the wild, particularly those appearing on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
2. Product Ubiquity: Flaws affecting widely used operating systems, core internet protocols, and enterprise-grade software that form the backbone of modern infrastructure.
3. Severity Potential: Vulnerabilities that, by their nature, allow for remote code execution (RCE) or unauthorized access to sensitive data on a massive scale.

CVEs that fall outside these categories will be relegated to the "Not Scheduled" tier. NIST clarified that while these lower-priority flaws can still have a significant impact on specific affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories. For organizations that find a "Not Scheduled" CVE critical to their specific operations, NIST has provided a recourse mechanism. Users can request enrichment for specific entries by contacting the NVD team directly via email, though the agency maintains the final authority on whether to move a request into the active enrichment queue.

Industry Reactions: The End of an Era for Manual Enrichment

The shift has sent ripples through the cybersecurity industry, with experts viewing the move as both a necessary evolution and a significant challenge for legacy security workflows. Caitlin Condon, Vice President of Security Research at VulnCheck, noted that the announcement was not entirely unexpected given NIST’s previous signals regarding a move to a risk-based model.

"On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities," Condon said. "On the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative source of CVE data."

Condon emphasized that the industry has reached a tipping point where manual human analysis can no longer compete with the speed of software development and threat actor activity. She argued that the current climate demands "machine-speed" approaches to identification and enrichment, noting that if defenders do not prioritize vulnerability management through automation, adversaries will do it for them.

David Lindner, Chief Information Security Officer of Contrast Security, characterized the change as the "end of an era" for defenders who have traditionally relied on a single, government-managed database to assess security risks. He suggested that this transition would force the industry to mature by prioritizing actual exposure over theoretical severity.

"Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics," Lindner stated. "Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug."

Strategic Implications for Enterprise Security

The restructuring of the NVD has immediate and long-term implications for how businesses and government agencies handle vulnerability management. For years, many organizations have built their security policies around the assumption that every CVE would eventually receive an official NIST score. With that assumption now defunct, several shifts in strategy are expected:

• Reliance on Private Enrichment: Organizations may increasingly turn to commercial threat intelligence providers and security vendors who offer their own proprietary scoring and analysis to fill the gap left by the NVD.
• Adoption of SSVC and EPSS: There is likely to be a surge in the adoption of alternative scoring systems like Stakeholder-Specific Vulnerability Categorization (SSVC) and the Exploit Prediction Scoring System (EPSS), which use data-driven models to predict the likelihood of a vulnerability being exploited.
• Focus on Reachability: Rather than patching every "High" or "Critical" CVSS bug, security teams will need to use advanced tools to determine if a vulnerable library or component is actually reachable and executable within their specific environment.
• Automation in Compliance: Regulatory bodies that mandate "NVD-based" patching cycles may need to update their language to accommodate the reality of unenriched CVEs, potentially allowing for more flexible, risk-based compliance frameworks.

Chronology of the NVD Crisis

The path to the April 2026 policy change was marked by several key milestones that illustrated the growing strain on NIST’s infrastructure:

• 2020-2022: CVE submissions began to climb sharply as digital transformation accelerated during the global pandemic.
• Early 2024: A significant slowdown in NVD enrichment was first observed by the community, leading to a backlog of thousands of vulnerabilities.
• Mid-2025: NIST announced a record 42,000 enrichments but acknowledged that the volume was still outstripping staff capacity.
• Late 2025: Discussions began regarding a "consortium" model or a move to risk-based prioritization to save the database from total obsolescence.
• April 15, 2026: The new prioritization policy officially goes into effect, formalizing the tiered enrichment system.

Future Outlook: AI and Distributed Responsibility

Looking ahead, the future of vulnerability management appears to be moving toward a more distributed model. NIST has signaled that it will continue to explore partnerships with the private sector and other government agencies to bolster the NVD’s capabilities. However, the long-term solution likely lies in the integration of Artificial Intelligence (AI).

AI-driven vulnerability discovery is currently a double-edged sword; while it helps developers find bugs faster, it also provides attackers with the tools to find 0-day exploits at scale. To counter this, NIST and other security organizations are investigating AI-assisted enrichment tools that can automatically assign CVSS scores and CWEs with high accuracy, potentially reducing the need for manual human intervention.

As the NVD transitions to its role as a prioritized repository, the burden of security analysis is shifting back to the software producers and the wider security community. The "Not Scheduled" category serves as a stark reminder that in a world of infinite software flaws, government resources are finite. National resilience will increasingly depend not on a single list of bugs, but on the ability of individual organizations to intelligently navigate a complex and rapidly changing threat landscape.