### NIST Updates NVD Operations **NIST** has announced it will only enrich CVEs listed in its **NVD** that fulfill certain conditions due to an explosion in submissions. According to their announcement, CVEs not meeting these criteria will still be listed but won't be automatically enriched by **NIST**. This decision stems from a 263% surge in CVE submissions between 2020 and 2025. ### Prioritization Criteria The prioritization criteria, effective April 15, 2026, include: * CVEs appearing in the **U.S. Cybersecurity and Infrastructure Security Agency's (CISA)** Known Exploited Vulnerabilities (KEV) catalog. * CVEs for software used within the federal government. * CVEs for critical software as defined by Executive Order 14028, encompassing software with elevated privileges, privileged access to networking or computing resources, control over data or operational technology, and operation outside normal trust boundaries. CVE submissions not meeting these thresholds will be marked as "Not Scheduled," allowing **NIST** to focus on high-impact vulnerabilities. ### Impact of the Changes **NIST** stated that CVE submissions in the first three months of 2026 are nearly one-third higher than last year, despite already enriching nearly 42,000 CVEs in 2025, a 45% increase from previous years. Users can request enrichment for high-impact CVEs categorized as unscheduled by emailing "nvd@nist[.]gov." ### Additional Changes to NVD Operations Further changes include: * **NIST** will no longer routinely provide separate severity scores if the CVE Numbering Authority has already done so. * Modified CVEs will only be reanalyzed if they materially impact the enrichment data. Reanalysis requests can be sent via email. * Unenriched CVEs in the backlog with a publish date before March 1, 2026, will be moved to the "Not Scheduled" category, excluding those in the KEV catalog. * **NIST** has updated the CVE status labels and descriptions, along with the **NVD Dashboard**, to accurately reflect CVE statuses and statistics in real-time. ### Industry Reaction **Caitlin Condon**, vice president of security research at **VulnCheck**, noted that **NIST** is setting expectations amid rising vulnerability numbers. However, a significant portion of vulnerabilities may lack a clear enrichment path for organizations relying solely on **NIST** data. **VulnCheck's** data indicates approximately 10,000 vulnerabilities from 2025 lack a CVSS score, while **NIST** has enriched about 14,000 'CVE-2025' vulnerabilities, representing roughly 32% of the 2025 CVE population. **David Lindner**, chief information security officer of **Contrast Security**, suggests that **NIST's** decision marks the end of relying on a single government database for security risk assessment. Organizations must now adopt a proactive, threat intelligence-driven approach. Lindner advises focusing on the **CISA KEV** list and exploitability metrics, prioritizing actual exposure over theoretical severity for enhanced national resilience.