Overwhelmed by the volume of CVEs, NIST no longer promises to enrich all of them before integrating them into the NVD (National Vulnerability Database).
The U.S. federal agency will prioritize certain vulnerabilities. Specifically, those that:
- Appear in its KEV catalog (Exploited Vulnerabilities)
- Affect software used by the federal government
- Affect software deemed “critical” according to the definition set out in Presidential Decree No. 14028 of 2021
The decree defines as such any software that includes – or has direct dependencies on – one or more components bearing at least one of the following attributes:
- Designed to operate with elevated privileges or to manage privileges
- Has direct or privileged access to network or computing resources
- Designed to control access to data or to OT
- Provides a critical trust function or operates outside normal trust boundaries with privileged access
A list is attached to the decree. It is fairly broad. Among others: IAM, OS, hypervisors, web browsers, monitoring, network security and backup/restoration.
Until now, NIST had systematically assigned a severity score, even if CVE numbering authorities had already done so. This will no longer be the case. Requests may still be made by email. The same goes for reanalysis of enriched CVEs and then modified ones. By default, the agency will proceed with such reanalyses only if it is aware of a modification that is “significantly impactful.”
Two years ago, the first signals
Beyond the severity score, CVE enrichment provides, among other things, lists of the affected vendors, references to third‑party bulletins and links to available patches.
In spring 2024, NIST had begun to openly communicate about the backlog of vulnerabilities to be addressed. It already claimed to prioritize the most important ones. And was seeking a long‑term solution, such as the creation of an industry consortium. The goal at the time was to have cleared the backlog by autumn.
At the end of the year, the agency acknowledged that this objective was overly optimistic. It cited, in particular, the reception of CVEs in a format that was difficult to import and improve.
In March 2025, with the modified format, NIST said it had regained its pre‑spring 2024 pace. Yet at the same time, the volume of CVEs had clearly risen… A few weeks later, it was ultimately decided to assign the “deferred” status to CVEs published before 2018 that were awaiting publication. An indicator that they would no longer be prioritized for enrichment.
Early 2026, the agency outlined the contours of what is now officially its new policy. It sees it as a way to “stabilize” the NVD program, while giving time to “improve processes” and to “develop automated systems.”
NIST under budget pressure… just like the CVE program
This evolution will have downstream consequences for the solutions that rely on the NVD. Among them are numerous SIEMs, penetration testing tools and vulnerability scanners.
The absence of a systematic NIST “stamp of approval” on criticality scores may raise questions, especially if one considers that some vendors act as CVE Numbering Authorities (CNAs) and might be tempted to downplay vulnerabilities in their software.
Under the Trump administration, the agency has operated with a tighter budget. It has been in the crosshairs in Washington for its “radical climate agenda.” A flagship example: its circular economy program, which would lean on university subsidies to promote an “environmental alarmism.”
The CVE program, run by the nonprofit MITRE Corporation, had also come under threat for a period. Its last-minute renewal by the US government had highlighted the European Union’s work on an alternative program, GCVE (Global CVE Allocation System), and the EU Vulnerability Database (EUVD).
