NIST Restructures NVD Operations to Tackle Record CVE Growth

According to a recent announcement from the National Institute of Standards and Technology (NIST), the agency is fundamentally restructuring how it manages the National Vulnerability Database (NVD).

Driven by a 263% increase in Common Vulnerabilities and Exposures (CVE) submissions between 2020 and 2025, NIST is shifting from a comprehensive analysis approach to a targeted, risk-based model.

Despite processing a record-breaking 42,000 vulnerabilities last year, a 45% increase over any previous year, the agency noted that current submission rates in early 2026 are already outpacing those figures.

To ensure long-term sustainability and maintain immediate focus on severe threats, NIST will now selectively “enrich” vulnerabilities that meet specific high-risk criteria rather than analyzing every single submission.

High-Priority Enrichment Criteria

As of April 15, 2026, NIST will focus its immediate enrichment efforts on the vulnerabilities that pose the greatest systemic risks.

Enrichment involves adding crucial metadata, such as severity scores and affected product lists, which helps cybersecurity professionals prioritize their patching and mitigation efforts. The new prioritization model targets:

Submissions falling outside these three categories will still enter the NVD but will receive a “Lowest Priority” designation.

While these lower-priority flaws might still severely impact specific systems, NIST indicates they generally lack the widespread systemic risk of the prioritized categories.

However, security teams can request manual enrichment for specific lower-priority items by contacting NIST directly via email.

Alongside the new prioritization matrix, NIST is streamlining several operational workflows to reduce duplicate efforts and manage existing queues.

The agency will stop assigning its own severity scores to vulnerabilities if the submitting CVE Numbering Authority has already provided one.

Additionally, NIST is modifying its approach to update vulnerabilities. The NVD team will now only reanalyze modified entries if the new changes materially impact the existing enrichment data.

Because of this procedural shift, thousands of previously deferred vulnerabilities will be reclassified into a “Modified After Enrichment” status in batches over the coming weeks.

To address the significant backlog that began accumulating in early 2024, NIST is moving all unenriched submissions published before March 1, 2026, into a “Not Scheduled” category.

The agency clarified that this backlog excludes CISA KEV entries, which are given priority processing under its long-standing risk management framework.

To improve transparency during this transition, NIST has also updated the NVD Dashboard to report real-time processing statistics and introduced new status labels to communicate where each vulnerability currently sits in the pipeline clearly.

Implications for Security Teams

This change in the NVD management approach reflects an evolving cybersecurity landscape where the sheer volume of threats has outpaced traditional processing capabilities.

For security teams, this means:

  • Improved Response Time: Critical vulnerabilities will be processed faster, allowing for quicker mitigation.
  • Increased Efficiency: Resources are now focused where they’re needed most, reducing redundancy.
  • Strategic Prioritization: Teams should align their vulnerability management strategies with the new NIST criteria.

The move also aligns with broader federal cybersecurity initiatives, including CISA’s KEV catalog updates, and the requirements set forth in Executive Order 14028.

Organizations leveraging NVD data for security assessments must adjust their processes accordingly, particularly when dealing with vulnerabilities outside the high-priority categories. For those that require deeper analysis, direct contact with NIST remains an option.

NIST’s restructuring of NVD operations is a necessary evolution in response to unprecedented growth in vulnerability submissions. By focusing on systemic risks, the agency hopes to maintain the integrity and utility of the NVD while preserving its role as the authoritative source for cybersecurity vulnerability information.

While some may view the shift as a reduction in scope, it is, in fact, a strategic realignment to ensure that critical threats are not only identified but also rapidly addressed — a vital capability in today’s threat landscape.

Related Articles

Back to top button