🎯Basically, NIST is changing how it handles vulnerability reports due to a huge increase in submissions.
What Happened
The National Institute of Standards and Technology (NIST) has announced significant changes to its process for handling cybersecurity vulnerabilities and exposures (CVEs) in the National Vulnerability Database (NVD). Due to a staggering 263% increase in CVE submissions from 2020 to 2025, NIST will now only enrich CVEs that meet specific criteria. This change went into effect on April 15, 2026.
New Prioritization Criteria
NIST's new criteria for prioritizing CVEs include:
- CVEs listed in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
- CVEs related to software used by the federal government.
- CVEs for critical software as defined by Executive Order 14028, which includes software with elevated privileges or access to sensitive data.
CVEs that do not meet these criteria will still be listed but will not receive automatic enrichment from NIST, and will be marked as "Not Scheduled." This approach aims to focus resources on vulnerabilities that pose the greatest systemic risk.
The Impact of the Surge
NIST reported that submissions in the first three months of 2026 were nearly one-third higher than the same period last year. In response to this surge, NIST enriched 42,000 CVEs in 2025 alone, a 45% increase compared to previous years. The organization is working diligently to manage the backlog and improve its processes.
Community Reactions
The cybersecurity community has mixed feelings about these changes. Caitlin Condon, vice president of security research at VulnCheck, noted that while the move to a risk-based prioritization model is expected, it leaves many vulnerabilities without a clear path for enrichment. There are still approximately 10,000 vulnerabilities from 2025 lacking a CVSS score, highlighting the challenges of manual enrichment in today's threat landscape.
David Lindner, chief information security officer of Contrast Security, emphasized that organizations must now pivot to a proactive approach driven by threat intelligence. He stated, "Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics."
Conclusion
NIST's decision to limit CVE enrichment marks a significant shift in how vulnerabilities are managed. This change reflects the growing complexity of the cybersecurity landscape and the need for a more focused approach to vulnerability management. As organizations adapt to these new guidelines, prioritizing high-impact vulnerabilities will be crucial for maintaining security in an increasingly interconnected world.
🔒 Pro insight: NIST's shift to a risk-based model emphasizes the need for organizations to adapt their vulnerability management strategies amidst rising CVE volumes.
