NIST limits NVD enrichment to KEV

The National Vulnerability Database is the big public layer that turns a bare CVE ID into something defenders can actually sort, score, and automate against. That layer has been straining for a while. Now NIST has made the tradeoff explicit: starting April 15, 2026, it will focus enrichment on the vulnerabilities most likely to matter systemically, instead of trying to keep up with everything. ### What changed, exactly? NIST said CVEs will still be added to the NVD, but only three categories now get priority enrichment: vulnerabilities in CISA’s Known Exploited Vulnerabilities catalog, vulnerabilities affecting software used in the federal government, and vulnerabilities in “critical software” under Executive Order 14028. Everything else can land in a lowest-priority bucket that is not scheduled for immediate enrichment. (nist.gov) ### What does “enrichment” mean here? A CVE record starts upstream in the CVE Program. NVD enrichment is the extra work NIST adds on top — severity scoring, weakness mapping, affected-product data, references, and other structured fields that make scanners, dashboards, and compliance tools more useful. NIST’s own process page says this work includes adding metadata from public sources, not just mirroring the base CVE entry. (nist.gov) ### Why is NIST doing this now? Because the math broke. NIST says CVE submissions jumped 263% between 2020 and 2025. It also says first-quarter 2026 submissions were nearly one-third higher than the same period a year earlier. NIST did increase output — nearly 42,000 CVEs enriched in 2025, 45% more than any prior year — but that still was not enough to keep up. (nvd.nist.gov) ### Why KEV gets first dibs KEV is CISA’s list of vulnerabilities that have been exploited in the wild. That matters because “known exploited” is a much tighter risk signal than “theoretically severe.” CISA already tells organizations to use KEV as a prioritization input, and federal civilian agencies are required to remediate KEV-listed flaws on set timelines under Binding Operational Directive 22-01. NIST says KEV items were already being prioritized, and now that logic is becoming the center of the queue. (nist.gov) ### Does this mean non-KEV bugs stop mattering? No — but they may get less help from NVD, at least quickly. NIST is pretty direct that some non-priority CVEs can still have major impact. The point is not that those flaws are harmless. The point is that NIST is choosing systemic risk and active exploitation over completeness. Basically, if you relied on NVD to promptly add rich metadata for every new CVE, that assumption is weaker now. (cisa.gov) ### So who has to pick up the slack? Vendors, CNAs, CISA, and commercial security platforms. NVD has already been moving toward more upstream and partner-supplied metadata through efforts like CVMAP, and CISA has its own Vulnrichment project to add context to CVE data. The direction is clear: more vulnerability context will have to come from a broader ecosystem, not just one federal enrichment pipeline. (nist.gov) ### What does this change for defenders? If you run patching or exposure management, KEV just became even more central as a first-pass filter. But the catch is that KEV is intentionally selective — it tells you what is already being exploited, not every flaw that could become tomorrow’s fire. So teams will need to lean harder on vendor advisories, asset context, internet exposure, exploit telemetry, and their own prioritization logic for everything outside that narrow lane. (nvd.nist.gov) ### Bottom line NIST did not shut down the NVD. It narrowed the mission. That is a practical response to a flood of CVEs — but it also marks the end of the old idea that NVD can be the fast, rich metadata source for the entire vulnerability universe. (nist.gov) (cisa.gov)