NIST changes NVD triage rules

Vulnerability management runs on a quiet assumption — that once a CVE is published, NIST’s National Vulnerability Database will soon add the extra metadata defenders actually use. Severity scores. Weakness tags. Product matching. That assumption just changed. On April 15, 2026, NIST said the NVD will no longer immediately enrich every published CVE, and will instead focus first on a narrower set of vulnerabilities that it thinks carry the biggest systemic risk. (nist.gov) ### What did NIST actually change? Before this shift, NVD tried to analyze all CVEs and add its own enrichment data. Now it is prioritizing three buckets: CVEs that land in CISA’s Known Exploited Vulnerabilities catalog, CVEs affecting software used within the federal government, and CVEs tied to “critical software” under Executive Order 14028. Everything else still g(nist.gov)diate enrichment. (nist.gov) ### Why did NIST do this now? The short version is volume. NIST said CVE submissions jumped 263% between 2020 and 2025, and the first three months of 2026 were already nearly one-third higher than the same period a year earlier. NIST also said it enriched nearly 42,000 CVEs in 2025 — a record for the program — but that pace still was not enough to keep up. So this is less a feature launch than a triage rule for overload. (nist.gov) ### What does “not scheduled” mean in practice? It does not mean the CVE disappears. The record still shows up in NVD after publication to the CVE List. But the NVD status can now sit in a deferred state instead of moving quickly into analysis. NVD’s own status page says “Not Scheduled” means the CVE is not currently scheduled for enrichment, either because it is outs(nist.gov)for enrichment of those low-priority CVEs by emailing the program. (nvd.nist.gov) ### Why does KEV matter more now? Because KEV is now one of the clearest fast lanes in the whole system. NIST says CVEs in CISA’s Known Exploited Vulnerabilities catalog are a priority for enrichment within one business day of receipt. That makes sense — KEV is CISA’s list of vulnerabilities confirmed to be exploited in the wild, and federal agencies are required under Binding Operational Directive 22-01 to remediat(nvd.nist.gov) KEV, both the policy pressure and the NVD enrichment priority jump at once. (nist.gov) ### Does this mean NVD scores matter less? Basically, yes — at least for a much larger share of newly published CVEs. NIST said it had been generating its own severity score for all submitted CVEs, even when the submitting CVE Numbering Authority had already provided one. The new model is a move away from that universal second pass. The catch is that many scanners, da(nist.gov) for almost everything. (nist.gov) ### So what fills the gap? More of the load shifts upstream and sideways. The CVE Program still publishes the base record, often through MITRE or a CVE Numbering Authority. NVD still ingests those records quickly, but downstream teams may need to lean more heavily on vendor advisories, CNA-supplied scores, CISA KEV status, and their own environment-based prioritizatio(nist.gov)g toward more source-attributed data through CVE List Authorized Data Publisher support, which makes that broader ecosystem more important. (nvd.nist.gov) ### Who feels this first? Federal defenders probably feel it most cleanly, because their urgent work is already tied to KEV and due dates. But enterprise security teams, vulnerability management vendors, and anyone who built automation around “new CVE means NVD score soon” will feel the workflow change too. A record appearing in NVD no longer guarantees quick NIST analysis. That is the real adjustment. (cis([nvd.nist.gov)## Bottom line? NIST did not break the NVD. It narrowed the promise. The database is still the public hub for CVE records, but as of April 15 it is no longer pretending every vulnerability will get the same immediate treatment. For defenders, that means triage gets more risk-based, more source-mixed, and a little less automatic. (nist.gov)