Introduction to NIST's NVD Update
The National Institute of Standards and Technology (NIST) has announced an update to its National Vulnerability Database (NVD) operations to better manage the high volume of new Common Vulnerabilities and Exposures (CVEs). This update involves the adoption of a risk-based model for adding details to CVE entries, a process it has historically referred to as enrichment. The new approach will enable NIST to focus on critical CVEs that have been added to the CISAs Known Exploited Vulnerabilities (KEV) catalog or affect federal agencies and critical software.
The update is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. This trend is expected to continue, with submissions during the first three months of 2026 being nearly one-third higher than the same period last year. The new changes will allow NIST to focus on high-priority CVEs and reduce the backlog of unenriched CVEs. While new CVEs will still be added to the NVD, they will be categorized as Not Scheduled for enrichment unless they meet the new criteria.
Impact on Vulnerability Management
The implementation of the new prioritization criteria will result in the backlog of unenriched CVEs published to the NVD before March 1, 2026, being moved to the Not Scheduled category. Additionally, the institute will not provide its own severity score for CVEs that have not been enriched. This change will enable organizations to focus on the most critical vulnerabilities and allocate resources more effectively. The new approach will also allow users to request the addition of details for unscheduled CVEs via email, providing more flexibility and control over vulnerability management.
Benefits of the New Approach
The new risk-based model will enable NIST to focus on the most critical CVEs and reduce the backlog of unenriched CVEs. This will allow organizations to prioritize their vulnerability management efforts more effectively and allocate resources more efficiently. The new approach will also provide more accurate and relevant information for vulnerability management, enabling organizations to make more informed decisions about security investments. By adopting a risk-based model, NIST is taking a proactive approach to vulnerability management, which will enhance the overall security posture of organizations.
Challenges and Opportunities
The new approach presents both challenges and opportunities for organizations. On one hand, the new prioritization criteria may require organizations to adjust their vulnerability management processes and allocate resources differently. On the other hand, the new approach provides an opportunity for organizations to focus on the most critical vulnerabilities and enhance their overall security posture. By adopting a risk-based model, organizations can improve their vulnerability management efforts and reduce the risk of security breaches. The new approach will also enable organizations to demonstrate compliance with regulatory requirements and industry standards, such as EO 14028.
Conclusion and Future Directions
The update to NIST's NVD operations is a significant step forward in vulnerability management. The new risk-based model will enable organizations to focus on the most critical vulnerabilities and enhance their overall security posture. As the volume of CVE submissions continues to grow, it is essential for organizations to adopt a proactive approach to vulnerability management. By staying informed about the latest developments in vulnerability management and adopting a risk-based model, organizations can reduce the risk of security breaches and protect their sensitive assets. The future of vulnerability management will be shaped by the continued adoption of risk-based models and the increasing importance of cybersecurity in today's digital landscape.