The Breaking Point
The National Institute of Standards and Technology (NIST) has officially conceded what the security industry suspected for two years: the National Vulnerability Database’s universal enrichment model is dead.
Speaking at VulnCon26 in Scottsdale, Arizona on April 15, NIST computer scientist Harold Booth made it explicit. “CVE reporting keeps increasing — and trust me, at the NVD, we see them all — and our ability to keep up is just not there, so our backlog keeps increasing too.”
The admission wasn’t a pivot. It was a capitulation.
What Changed — And What Didn’t
CVE submissions increased 263% between 2020 and 2025. NIST’s response was to enrich more — nearly 42,000 CVEs in 2025, 45% more than any prior year. But velocity wasn’t the problem. Volume was. And volume won.
Effective immediately, NIST is shifting to a risk-based triage model. The new enrichment prioritization criteria are:
- CISA KEV entries — targeted for enrichment within one business day of receipt
- Federal government software — applications in active use across US agencies
- Critical software under EO 14028 — as defined by the 2021 executive order on improving national cybersecurity
All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as “Not Scheduled.”
The historic backlog gets no reprieve. All backlogged CVEs with an NVD publish date earlier than March 1, 2026 will be moved into the “Not Scheduled” category. CVEs already in the KEV catalog are explicitly excluded from that sweep.
While NIST’s previous policy was to re-analyze all modified CVEs, it will now do so only when a modification materially impacts enrichment data. Users can request reanalysis of specific CVEs by emailing NIST directly.
Why This Matters Beyond the Headlines
CVSS scores. CPE mappings. CWE classifications. Patch status. These are not cosmetic fields. They are the data signals that drive vulnerability scanners, SCA tools, SIEM correlation rules, and risk dashboards across every enterprise security program on the planet. When a CVE sits in NVD without enrichment, it is — for practical purposes — invisible to automated tooling.
Without this enrichment, CVEs will be less up-to-date and less reliable. For organizations that built vulnerability management workflows assuming NVD as a complete, authoritative source of truth, this is not a policy update. It is a foundational assumption failure.
The downstream impact is measurable. CVEs that don’t fit NIST’s narrower criteria will still be listed in the NVD, but they won’t be automatically enriched with additional details. For security teams dependent on CVSS-driven prioritization for SLA compliance and regulatory reporting, “listed but not enriched” is operationally equivalent to “not there.”
The Geopolitical Dimension
This isn’t just an operational story. It reflects a structural fragility in global vulnerability intelligence infrastructure — a single US federal agency bearing the weight of the entire world’s CVE enrichment pipeline with no credible backup.
The EU has already been building its own alternative, the European Vulnerability Database (EUVD), which has been live since May 2025. By September 2026, reporting actively exploited vulnerabilities will become mandatory for manufacturers under the Cyber Resilience Act. The EU saw the risk of depending on a single US-run database and began decoupling accordingly.
That foresight now looks prescient.
The Intelligence Gap — And Who Fills It
With NIST’s triage model leaving the majority of CVEs unenriched, the gap will be filled — but not by a single authoritative source. The industry will fracture across:
- CISA KEV — the new de facto enrichment floor for operationally critical CVEs
- Commercial threat intelligence platforms — VulnCheck, Tenable, Rapid7, and others who have been supplementing NVD data for years
- EUVD — nascent but institutionally motivated to build independence
- OSS alternatives — tools that operate without CPE dependency or NVD enrichment at all
The new system will also allow NIST to “stabilize the NVD program while we develop the automated systems and workflow enhancements required for long-term sustainability.” That language suggests this is a structural reset, not a temporary triage posture.
TheCyberThrone Assessment
The NVD enrichment model was built for a different era — when CVE volumes were manageable, when a federal agency could plausibly annotate every disclosed vulnerability, and when the internet’s attack surface grew at human pace.
That era ended years ago. What happened on April 15, 2026 was NIST finally acknowledging it officially.
The risk-based triage pivot is the right call given resource constraints. But it places an enormous burden on security teams to understand what “Not Scheduled” actually means in operational terms — and to build intelligence pipelines that don’t collapse when NVD enrichment is absent.
CISA KEV as the enrichment anchor is directionally sound. KEV represents confirmed exploitation in the wild — the highest-signal subset of the CVE universe. But KEV is not a comprehensive vulnerability inventory. It is a confirmed-exploitation subset. The distance between “CVE exists” and “CVE is in KEV” is where most organizational risk actually lives.
Organizations relying solely on NVD-enriched data for vulnerability prioritization are now operating with structural blind spots. The question is not whether to build alternative intelligence pipelines. The question is how fast they can.
