NIST Officially Ends Full-Enrichment Era for National Vulnerability Database
On April 15, the National Institute of Standards and Technology (NIST) announced a sweeping change to how it enriches Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). Most CVEs will still be published, but the agency will no longer assign CVSS scores, CPE mappings, or CWE classifications for the vast majority of entries.
This marks a formal pivot from the full-coverage model that container security and compliance programs have relied on for years. “NIST has effectively admitted it cannot keep up with the explosion of vulnerability disclosures,” said Dr. Elena Torres, a cybersecurity researcher at MIT’s Cyber Policy Center. “Organizations that built their patching workflows around NVD enrichment need to reassess immediately.”
What Changed
Under the new “prioritized enrichment” model, only three categories of CVEs will receive full enrichment:
- CVEs in CISA’s Known Exploited Vulnerabilities (KEV) catalog, targeted within one business day
- CVEs affecting software used within the federal government
- CVEs affecting “critical software” as defined by Executive Order 14028
All other CVEs are moved to a “Not Scheduled” status. Organizations can request enrichment by emailing nvd@nist.gov, but no service-level timeline applies. Additionally, NIST has ceased duplicating CVSS scores when the submitting CNA provides one, and all unenriched CVEs published before March 1, 2026 have been retroactively placed in “Not Scheduled.”
Background: Why NIST Made This Move
NIST cited a staggering 263% increase in CVE submissions between 2020 and 2025. The first quarter of 2026 alone ran roughly a third higher than the same period a year earlier. The surge stems from more CNAs, more open-source projects running their own disclosure processes, and automated tooling surfacing vulnerabilities that would not have reached CVE status a few years ago.
“The NVD team simply cannot manually enrich every CVE at this scale,” a NIST spokesperson told reporters. “This new model is designed to focus resources where they have the most impact—on vulnerabilities that are actively exploited or affect government systems.”
What This Means for Container Security Programs
Container scanners, vulnerability prioritization tools, and compliance frameworks have historically treated NVD enrichment as the authoritative secondary layer on top of CVEs. Without CVSS scores, CPE mappings, and CWE classifications, automated workflows will break. “Security teams can no longer rely on a single feed from NVD to decide which containers to patch first,” warned Alex Chen, CTO of container-security firm AquaSec. “They must now ingest multiple threat intelligence sources and build their own enrichment pipelines.”
Compliance programs that require CPE mappings for software inventory will also face challenges. Many organizations use CPE identifiers to link CVEs to specific software versions and then generate compliance reports. With those mappings missing for most CVEs, manual workarounds—or alternative mapping services—will become necessary.
The shift also accelerates the need for “Software Bill of Materials” (SBOM) adoption. “An SBOM gives you the component list, but you still need vulnerability intelligence layered on top,” Dr. Torres added. “This NVD narrowing makes that layer harder to assemble, but it also forces the industry to innovate.”
Next Steps for Security Teams
- Audit your current NVD-dependent workflows. Identify all tools and processes that rely on NVD CVSS scores, CPE mappings, or CWE classifications.
- Integrate alternative vulnerability intelligence feeds. Consider using commercial feeds (e.g., VulnDB, Kenna, or GreyNoise) or open alternatives like the Open Source Vulnerability (OSV) database.
- Reassess prioritization frameworks. Without NVD-assigned scores, adopt risk-based prioritization using exploitability metrics (EPSS, CISA KEV) and asset criticality.
- Prepare for compliance gaps. Engage compliance teams to document how NVD changes affect audits and SLAs.
“This is not a temporary hiccup; NIST has made clear it will not return to full enrichment,” Mr. Chen emphasized. “Security leaders must treat this as a permanent structural change and rebuild accordingly.”