On April 15, the National Institute of Standards and Technology (NIST) announced a major shift in how it enriches the National Vulnerability Database (NVD). Most CVEs will still be published, but fewer will receive the CVSS scores, CPE mappings, and CWE classifications that container scanners and compliance programs have historically relied on. This change formalizes a trend that has been visible for two years, and now NIST has stated plainly that it does not intend to return to full-coverage enrichment. For container security programs that built scanning, prioritization, and SLA workflows around the assumption that the NVD sits as the authoritative secondary layer on top of CVE, this shift demands a structured review. Below, we answer the key questions every container security team should be asking.
What exactly changed in the NVD enrichment model?
NIST introduced a prioritized enrichment model that categorizes CVEs into three groups that will still receive full enrichment: (1) CVEs in CISA's Known Exploited Vulnerabilities catalog (targeted within one business day), (2) CVEs affecting software used within the federal government, and (3) CVEs affecting "critical software" as defined by Executive Order 14028. All other CVEs now move to a new "Not Scheduled" status. NIST has also stopped duplicating CVSS scores when the submitting CNA provides one, and all unenriched CVEs published before March 1, 2026 have been moved into "Not Scheduled." This means that the vast majority of new CVEs will lack the secondary analysis that container security tools often depend on for prioritization and compliance mapping.
Why did NIST decide to narrow its enrichment scope?
NIST cited a staggering 263% increase in CVE submissions between 2020 and 2025. The first quarter of 2026 alone ran roughly a third higher than the same period a year earlier. This explosion in volume is driven by more CVE Numbering Authorities (CNAs), more open source projects running their own disclosure processes, and more automated tooling surfacing vulnerabilities that would not have reached CVE a few years ago. The NVD team simply cannot keep up with full enrichment for every CVE, so they decided to focus limited resources on the vulnerabilities that pose the highest risk—those actively exploited, used in federal systems, or tied to critical software. For container security, this means the pipeline of enriched data will narrow significantly.
How does this affect container scanning and prioritization?
Container scanners commonly ingest NVD enrichment—especially CVSS scores and CPE mappings—to determine which vulnerabilities in container images are most critical and whether they match the software in your environment. Without full enrichment, many CVEs will arrive without these secondary data points. Your scanner might still identify the CVE, but it will lack the CVSS base score, CWE category, and precise CPE match needed to calculate risk scores, generate compliance reports, or trigger automated remediation SLAs. Teams that relied on NVD as the authoritative second opinion will now need to supplement with data from other sources, such as the submitting CNA's own scoring or third-party vulnerability intelligence feeds. Prioritization workflows built around CVSS thresholds may become unreliable for unenriched CVEs.
Which CVEs still get the full NVD treatment?
Three categories remain fully enriched. First, any CVE listed in CISA's Known Exploited Vulnerabilities (KEV) catalog will be enriched within one business day—these are vulnerabilities already being exploited in the wild. Second, CVEs affecting software used within the federal government (as determined by the CPE) get full enrichment. Third, CVEs tied to "critical software" as defined under Executive Order 14028, which includes categories like identity management, operating systems, and security tools. If your containerized applications use software that falls into these buckets, you'll still receive the enriched data you need. For everything else, you'll need to look elsewhere for enhanced vulnerability information, or request enrichment from NIST via email.
Can I request enrichment for a specific CVE, and what's the process?
Yes, NIST allows organizations to request enrichment by emailing nvd@nist.gov. However, there is no service-level timeline attached to these requests, so you cannot count on a quick turnaround. The request process is intended for cases where a vulnerability is critical to your specific environment but does not fall into the three priority categories. Given the volume of requests NIST likely receives, expect delays. For container security programs, relying on manual email requests will not scale. Instead, consider building relationships with CNAs directly, or subscribing to commercial vulnerability intelligence services that can supplement the NVD gaps. The best proactive strategy is to reduce your reliance on NVD enrichment as your single source of truth for vulnerability prioritization.
What should container security programs reassess first?
Teams should systematically review three areas: scanning pipelines, prioritization logic, and compliance mapping. First, assess whether your scanner falls back gracefully when no CVSS score or CPE is available—some tools may drop the CVE entirely or assign default low scores. Second, update your prioritization algorithm to incorporate data from other sources like EPSS (Exploit Prediction Scoring System) or vendor-reported severity. Third, check your compliance frameworks (e.g., FedRAMP, PCI DSS) that may require NVD enrichment artifacts; you may need to document alternative sources. Finally, review your SLA definitions: without full enrichment, automated time-to-fix triggers based on CVSS thresholds may fire incorrectly. Start by auditing all CVEs published after March 1, 2026 that your scanner is pulling now—those are likely all in "Not Scheduled" status.