NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Summary

NIST announced a strategic shift in its National Vulnerability Database (NVD) operations to manage the 263% surge in CVE submissions between 2020 and 2025. Going forward, NIST will prioritize enriching only CVEs added to CISA's Known Exploited Vulnerabilities catalog and those affecting federal agencies or critical software per Executive Order 14028, while other CVEs will be categorized as 'Not Scheduled' for enrichment. This risk-based approach allows NIST to focus resources on the most systemic threats while working toward long-term automation and sustainability of the program.

Full text

The National Institute of Standards and Technology (NIST) on Wednesday announced an update to its National Vulnerability Database (NVD) operations to better manage the current volume of new CVEs. The update involves the adoption of a risk-based model for adding details to CVE entries, a process it has historically referred to as ‘enrichment’. Until now, NIST has made efforts to enrich all CVE entries in the NVD, but the high flow of new CVEs is making this a difficult task, and the institute has been struggling for years to clear the growing backlog of submissions. Moving forth, NIST will focus on enriching CVEs that have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog within one day of submission. Additionally, it will enrich entries for vulnerabilities in software used by federal agencies and in critical software defined by EO 14028. “This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” NIST says. Last year, the institute enriched 42,000 CVEs, but it still lags behind the growing volume of submissions, and the new changes will allow it to focus on critical CVEs.Advertisement. Scroll to continue reading. While new CVEs will still be added to NVD, they will be categorized as ‘Not Scheduled’ for enrichment, unless they meet the above criteria. However, users can request the addition of details for unscheduled CVEs via email. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories,” NIST notes. The implementation of the new prioritization criteria will result in the backlog of unenriched CVEs published to the NVD before March 1, 2026, being moved to the Not Scheduled category. Additionally, the institute will not provide its own severity score for CVEs that have a score submitted by their CVE Numbering Authority and will not reanalyze entries modified after enrichment unless the modifications materially impact the enrichment data. CVE status labels and descriptions will also be updated, as NIST strives to better communicate CVE status and provide transparency on how it manages the current workload. “We recognize that these changes will affect our users. However, this risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community. This shift also allows us to dedicate the resources required to develop the automated systems and workflow enhancements that will ensure the program’s long-term sustainability,” NIST says. Related: NIST’s Quantum Breakthrough: Single Photons Produced on a Chip Related: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats Related: Cyber Insights 2026: Information Sharing Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire 100 Chrome Extensions Steal User Data, Create BackdoorMirax RAT Targeting Android Users in EuropeTwo Vulnerabilities Patched in Ivanti Neurons for ITSM Fortinet Patches Critical FortiSandbox VulnerabilitiesSAP Patches Critical ABAP VulnerabilityTriad Nexus Evades Sanctions to Fuel CybercrimeGoogle Adds Rust DNS Parser to Pixel Phones for Better SecurityOrganizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities Latest News Splunk Enterprise Update Patches Code Execution VulnerabilityMicrosoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestCisco Patches Critical Vulnerabilities in Webex, ISERansomware Hits Automotive Data Expert AutovistaClaude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsSweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy InfrastructureExploited Vulnerability Exposes Nginx Servers to HackingCapsule Security Emerges From Stealth With $7 Million in Funding Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Entities