Understanding NIST's New Prioritization Framework for CVEs
The National Institute of Standards and Technology (NIST) has introduced updates to its management of Common Vulnerabilities and Exposures (CVEs) within the National Vulnerability Database (NVD). These changes respond to a significant 263% rise in CVE submissions from 2020 to 2025. NIST aims to better allocate resources by focusing on vulnerabilities with the greatest potential for widespread impact. Only CVEs meeting specific criteria will now receive automatic enrichment.
Key prioritization factors include CVEs listed in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog and those affecting critical software as defined by Executive Order 14028. Critical software refers to systems with elevated or privileged access, control over sensitive data, or operational technology. This approach enables NIST to address vulnerabilities that pose systemic risks while maintaining a record of lower-impact submissions.
The Implications of Marking CVEs as Not Scheduled
Submissions failing to meet NISTs criteria will be labeled as Not Scheduled, indicating they will not receive automatic enrichment. Despite this designation, these vulnerabilities remain accessible in the NVD for reference. This distinction allows NIST to prioritize its efforts without excluding potentially impactful data from public access.
For high-impact CVEs that are initially marked as unscheduled, NIST has implemented a mechanism for users to request enrichment. Affected users can send an email to NIST for reconsideration. This ensures that critical vulnerabilities are not overlooked, even if they do not initially meet the outlined thresholds.
Adjustments to Severity Scoring and Operational Processes
Another notable shift in NIST's operations is the decision to discontinue providing separate severity scores for CVEs when the CVE Numbering Authority has already assigned one. This minimizes redundancy and streamlines the enrichment workflow, allowing NIST to focus on other critical tasks.
Additionally, NIST plans to reanalyze any modified CVEs to ensure the assigned scores and details remain accurate. This iterative approach underscores the importance of maintaining up-to-date records in a rapidly evolving cybersecurity landscape.
Quantifying the Surge in CVE Submissions
The volume of CVE submissions has reached unprecedented levels, with the first quarter of 2026 seeing nearly one-third more submissions than the same period in the previous year. In 2025 alone, NIST enriched approximately 42,000 CVEs, representing a 45% increase compared to prior years. This surge underscores the growing complexity and frequency of cybersecurity threats in modern digital ecosystems.
Despite these challenges, NIST continues to refine its processes to manage this influx efficiently. By focusing on vulnerabilities with systemic impact, the organization seeks to deliver timely and relevant information to stakeholders.
Strategic Focus on Systemic Risk
NIST's updated approach prioritizes systemic risk over localized vulnerabilities. By concentrating on CVEs that affect critical infrastructure or have a broad impact, the organization aligns its efforts with national cybersecurity objectives. This strategy is particularly important as the digital landscape becomes increasingly interconnected, amplifying the potential consequences of high-impact vulnerabilities.
Through these measures, NIST aims to balance the need for comprehensive vulnerability tracking with the practicalities of resource allocation. This shift reflects a nuanced understanding of the challenges posed by a rapidly growing threat environment and highlights the importance of strategic decision-making in cybersecurity management.