NIST Revamps NVD

The National Institute of Standards and Technology changed how it runs the National Vulnerability Database on April 15, shifting from trying to enrich every software flaw to prioritizing the ones most likely to cause immediate harm. (nist.gov) A CVE is a catalog number for a specific software or hardware flaw, and the National Vulnerability Database adds details such as severity scores and affected product lists so security teams can sort and fix problems faster. NIST said that, until now, its program aimed to analyze all CVEs that entered the database. (nvd.nist.gov; nist.gov) NIST said CVE submissions rose 263% between 2020 and 2025, and the first three months of 2026 came in nearly one-third higher than the same period a year earlier. The agency said it enriched nearly 42,000 CVEs in 2025, 45% more than any previous year, but still could not keep up. (nist.gov) Under the new rules, NIST will prioritize CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, CVEs tied to software used by the federal government, and CVEs affecting “critical software” under Executive Order 14028. NIST said its goal is to enrich KEV-listed flaws within one business day of receipt. (nist.gov) The Known Exploited Vulnerabilities catalog is CISA’s list of flaws that have already been used in real-world attacks, and CISA says organizations should use it to prioritize patching. As of April 18, the catalog page showed 1,569 entries. (cisa.gov) NIST said CVEs that do not meet its new criteria will still appear in the National Vulnerability Database, but they will be marked “Lowest Priority - not scheduled for immediate enrichment.” Users can ask NIST to enrich one of those entries by emailing the program. (nist.gov) The agency also drew a line through part of its backlog. NIST said all backlogged CVEs with an NVD publish date earlier than March 1, 2026, will move into the “Not Scheduled” category unless they meet the new priority rules. (nist.gov) The database itself remains a core federal system for machine-readable vulnerability data. NIST describes the NVD as the U.S. government repository for standards-based vulnerability management data used in automation, security measurement, and compliance. (nvd.nist.gov) NIST has already been changing how the database ingests and publishes data. In November 2024, it said NVD systems would begin taking in supported data types from CVE List Authorized Data Publishers, including references, weakness categories, and severity scores from additional sources. (nist.gov) That leaves the National Vulnerability Database doing less hand-enrichment and more triage. NIST said the new model is meant to stabilize the program while it builds automated systems and workflow changes for long-term sustainability. (nist.gov)