NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities: What It Means for Cybersecurity

The NVD enrichment process is undergoing a major overhaul. The US National Institute of Standards and Technology (NIST) has announced it will stop enriching most vulnerabilities reported before March 1, 2026, in a bid to manage an unprecedented surge in CVE submissions. This shift to a risk-based approach aims to focus resources on the most critical threats, leaving many older vulnerabilities unanalyzed.

Speaking at VulnCon26 in Scottsdale, Arizona, on April 15, Harold Booth, a NIST computer scientist, explained the reasoning behind the change. “CVE reporting keeps increasing – and trust me, at the NVD, we see them all – and our ability to keep up is just not there, so our backlog keeps increasing too,” he said.

Why NVD Enrichment Is Being Rethought

The decision stems from a dramatic rise in reported vulnerabilities. According to a NIST statement published on April 15, CVE submissions jumped by 263% between 2020 and 2025. In 2025 alone, the NVD enriched nearly 42,000 CVEs – 45% more than any prior year. Yet, the backlog continues to grow.

“Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” Booth noted. “We’ve been trying to develop new tools to help with this, but with our current methods, I will admit this is just something we can’t keep up with.” This trend is expected to accelerate, with the Forum of Incident Response and Security Teams (FIRST) forecasting a record-breaking 50,000 additional CVEs in 2026.

Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, predicts an even higher figure: 70,135 CVEs by year-end, representing a 45.6% growth rate over 2025. These forecasts do not account for new generative AI models from Anthropic and OpenAI, such as Claude Mythos and GPT-5.4-Cyber, which promise to autonomously find and fix vulnerabilities at scale.

How the New Risk-Based Approach Works

Under the revised framework, the NVD will prioritize vulnerabilities that pose the greatest threat. Specifically, enrichment will focus on:

• Software used by the US federal government
• Critical software as defined by Executive Order 14028 (2021)
• Vulnerabilities on the CISA Known Exploited Vulnerabilities (KEV) list

“All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as ‘Not Scheduled,’” Booth explained. This means that thousands of older, less critical vulnerabilities will remain unenriched indefinitely.

Booth emphasized the rationale: “Vulnerabilities are a way for an attacker to gain access to a system that they should not and we want to close those holes as quickly, efficiently and effectively as possible. We want to focus on the ones that are important, not the ones that are unimportant.” Users can still request enrichment of unscheduled CVEs by emailing the NVD at nvd@nist.gov.

Changes to CVE Scoring and Analysis

Alongside the prioritization shift, the NVD has updated its scoring and analysis procedures. It will no longer provide its own CVSS severity scores for CVEs already scored by the submitting authority, unless the score appears inaccurate. Additionally, the NVD will only reanalyze modified CVEs if changes materially impact enrichment data.

To improve clarity, status labels have been revised. The previous ‘Deferred’ status is replaced with ‘Not scheduled,’ indicating that the NVD will not enrich the corresponding CVE. A new document explaining these labels is now available on the NVD website.

Implications for Vulnerability Management

This shift in NVD enrichment policy has significant implications for cybersecurity teams. Organizations can no longer rely on the NVD to analyze every vulnerability. Instead, they must adopt a more proactive approach, leveraging threat intelligence feeds and internal risk assessments.

For example, vulnerability management best practices now require prioritization based on exploitability and business impact. Tools like the CISA KEV list provide a starting point, but teams must also consider their unique threat landscape. Integrating the CISA KEV list into your workflow can help identify actively exploited vulnerabilities.

Furthermore, the rise of AI-driven vulnerability discovery tools means the volume of CVEs will only increase. AI-powered cybersecurity tools are changing the game, but they also create new challenges for databases like the NVD.

What Comes Next for the NVD

NIST acknowledges that these changes are temporary measures. Booth noted that the team is developing new tools to handle the workload, but admits that current methods are insufficient. The agency is also exploring partnerships with industry and academia to improve efficiency.

For now, the focus is on reducing the backlog and ensuring that critical vulnerabilities receive timely attention. As Booth stated, “We want to close those holes as quickly, efficiently and effectively as possible.” The cybersecurity community will be watching closely to see if this risk-based approach delivers on its promise.