NIST Pulls Back on CVE Enrichment Amid Overwhelming Vulnerability Volume

The National Institute of Standards and Technology (NIST) has announced significant changes to how it enriches and processes Common Vulnerabilities and Exposures (CVE) entries within the National Vulnerability Database (NVD). Facing a staggering 263% increase in vulnerability submissions since 2020, NIST is narrowing its enrichment focus to prioritize the most operationally critical records — specifically those listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and software used by federal agencies. The policy shift marks a pivotal moment for the security community, which has long relied on NVD as the authoritative source for structured vulnerability metadata.

What Is CVE Enrichment and Why Does It Matter?

When a CVE is published, it typically contains only basic identification information — a CVE ID, a brief description, and references. Enrichment is the process by which NIST analysts add critical structured data to those raw records inside the NVD, including:

• CVSS scores (Common Vulnerability Scoring System) — used by security teams to gauge severity
• CPE entries (Common Platform Enumeration) — machine-readable identifiers linking vulnerabilities to specific software versions
• CWE mappings (Common Weakness Enumeration) — classifying the root cause of the vulnerability
• References to public exploit code, advisories, and patches

Without enrichment, a CVE entry is difficult to consume programmatically. Vulnerability scanners, SIEMs, asset management tools, and patch management platforms all depend on this structured data to function accurately. The NVD has served as the backbone of automated vulnerability management for over two decades.

The Scale of the Problem: 263% Surge Since 2020

The sheer volume of CVEs being published has grown at a pace that NIST's manual enrichment processes cannot sustainably match. Since 2020, the number of vulnerability submissions has increased by 263%, driven by several converging factors:

• Expansion of CVE Numbering Authorities (CNAs), which now number in the hundreds globally
• Growing attack surface from cloud-native applications, open-source dependencies, and IoT devices
• Increased security researcher activity and coordinated disclosure programs
• Broader adoption of automated vulnerability discovery tools in software pipelines

In 2023 and 2024, NIST began falling behind on enrichment, leaving thousands of CVE entries in a pending or unenriched state for weeks and months. Industry stakeholders raised alarms, noting that the gap between CVE publication and NVD enrichment was introducing dangerous blind spots in enterprise vulnerability management workflows.

NIST's New Prioritization Framework

Rather than attempting to enrich every CVE submitted — a task that has grown beyond current resource capacity — NIST has established a tiered prioritization model. Going forward, enrichment resources will be concentrated on two primary categories:

1. CISA Known Exploited Vulnerabilities (KEV)

CVEs that appear in CISA's KEV catalog will receive immediate enrichment priority. The KEV catalog tracks vulnerabilities that have confirmed, active exploitation in the wild. These are the vulnerabilities most likely to result in real-world compromise if left unpatched, making rapid, accurate NVD enrichment operationally essential for defenders.

2. Software Used by Federal Agencies

In alignment with federal cybersecurity mandates — including guidance stemming from Executive Order 14028 on Improving the Nation's Cybersecurity — NIST will prioritize enriching CVEs affecting software deployed across U.S. federal government systems. This ensures compliance-driven patching workflows in federal environments remain supported with accurate data.

CVEs that fall outside these two priority buckets may be labeled "Deferred" or "Not Scheduled" — meaning enrichment will not occur on any defined timeline. Security teams relying solely on NVD data for these entries may find records with minimal metadata for an indefinite period.

Thousands of CVEs Shifted to "Not Scheduled"

The practical consequence of this policy change is significant: thousands of CVEs are being moved to a "Not Scheduled" status, indicating that NIST does not currently plan to enrich those entries. For organizations whose vulnerability management processes are tightly coupled to NVD CVSS scores and CPE data, this creates an immediate operational gap.

Security tools that automatically ingest NVD data and trigger alerts or patch workflows based on CVSS thresholds will encounter incomplete records. This could result in:

• False negatives in vulnerability scans — tools may not flag software as vulnerable if CPE mappings are absent
• Inaccurate risk scoring in GRC platforms relying on NVD CVSS data
• Compliance reporting gaps for organizations required to remediate vulnerabilities above a certain severity threshold
• Increased manual analyst workload to compensate for missing structured data

What This Means for Security Teams

Organizations should treat this as a signal to diversify their vulnerability intelligence sources rather than depending solely on NVD. Several alternative and supplementary data sources can help fill the gap:

• CISA KEV Catalog — already the highest-priority enrichment target under the new NIST policy; should be a primary input for patch prioritization
• Vendor security advisories — software vendors often publish their own CVSS scores and CPE mappings independent of NVD
• Commercial vulnerability intelligence feeds — platforms such as VulnDB, Tenable, or Rapid7 enrich CVE data independently
• OSV (Open Source Vulnerabilities) — Google's open-source vulnerability database provides structured data for open-source package ecosystems
• GitHub Advisory Database — particularly useful for organizations with significant open-source software dependencies

"The NVD enrichment slowdown is a structural problem, not a temporary one. Security teams need to build resilient vulnerability management pipelines that don't treat NVD as a single point of failure."

The Broader Implications for Vulnerability Management Policy

NIST's decision reflects a hard truth about the modern vulnerability landscape: the volume of disclosed vulnerabilities has outpaced the capacity of any single government-funded body to maintain comprehensive, manually curated enrichment at scale. This raises important questions about the long-term architecture of public vulnerability data infrastructure.

There are growing calls within the security community for:

• Automated enrichment pipelines leveraging AI and machine learning to generate CVSS scores and CPE mappings at scale
• Greater responsibility placed on CVE Numbering Authorities (CNAs) to submit pre-enriched records
• Expanded public-private partnerships to share the enrichment burden
• Standardized enrichment APIs that allow community contributions under NIST oversight

NIST has acknowledged these challenges and has signaled ongoing collaboration with CISA and the broader CVE ecosystem to explore sustainable long-term solutions. However, the immediate operational reality for 2025 and beyond is one of constrained enrichment capacity and selective coverage.

Conclusion: Adapt Your Vulnerability Program Now

NIST's decision to limit CVE enrichment is not a failure of the program — it is an honest acknowledgment of an unsustainable trajectory. The 263% surge in vulnerability submissions since 2020 represents a fundamental shift in the threat landscape, and the infrastructure built to support it must evolve accordingly. For security practitioners, the message is clear: do not build critical vulnerability management workflows on a single data source, and ensure your team understands where NVD enrichment gaps may exist in your tooling today. Organizations that proactively adapt by integrating KEV prioritization, vendor advisories, and commercial intelligence feeds will be far better positioned to maintain defensible, risk-based patch management programs regardless of how NVD coverage evolves in the months ahead.