NIST narrows CVE triage approach
NIST said it will focus National Vulnerability Database analysis on critical software, systems used by the federal government, and actively exploited vulnerabilities to keep up with record CVE volumes. Coverage frames this as a shift toward risk‑based triage rather than trying to analyze every CVE. The move supports defender approaches that prioritise exposures by mission relevance and identity adjacency instead of raw CVE count (cyberscoop.com).
The National Institute of Standards and Technology stopped trying to fully analyze every new software flaw and, on April 15, switched the National Vulnerability Database to priority triage. (nist.gov) A Common Vulnerabilities and Exposures entry is a tracking number for a software flaw; the National Vulnerability Database adds context such as severity scores and affected product lists. NIST said entries outside its new priority buckets will still appear in the database, but many will no longer get automatic “enrichment.” (nist.gov) NIST said it will now prioritize three groups: flaws in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, flaws in software used by the federal government, and flaws in “critical software” defined under Executive Order 14028. The agency said its goal is to enrich Known Exploited Vulnerabilities entries within one business day of receipt. (nist.gov) The agency tied the change to volume. NIST said Common Vulnerabilities and Exposures submissions rose 263% from 2020 to 2025, submissions in the first three months of 2026 were nearly one-third higher than a year earlier, and it enriched nearly 42,000 entries in 2025, 45% more than any prior year. (nist.gov) The National Vulnerability Database now lists 343,979 records in its public search interface, a sign of how large the catalog has become. The Cybersecurity and Infrastructure Security Agency says its Known Exploited Vulnerabilities catalog is the federal government’s authoritative list of flaws exploited in the wild and tells organizations to use it as a prioritization input. (nvd.nist.gov) (cisa.gov) The move follows a long stretch of strain inside the program. CyberScoop reported that a funding lapse in early 2024 forced NIST to pause key metadata work, and Cybersecurity Dive reported in January 2026 that NIST was already reviewing whether its enrichment role was scalable. (cyberscoop.com) (cybersecuritydive.com) Jon Boyens, acting chief of NIST’s Computer Security Division, told an advisory board in January that the work was “very labor-intensive” and “not scalable” as vulnerability counts climbed. He said NIST had been using informal prioritization and wanted to formalize it. (cybersecuritydive.com) NIST said records that do not meet the new criteria will be marked “Not Scheduled,” and outside users can ask for enrichment by emailing the agency. The agency also said it is streamlining severity scoring instead of always issuing its own score when the submitting authority already provided one. (nist.gov) The practical effect is narrower federal analysis, not fewer flaw IDs. The Common Vulnerabilities and Exposures numbers will keep coming; NIST is deciding which ones get the extra context first. (nist.gov)
