NIST Changes Workflow; “enrichment list” in Focus

NIST is changing the way it handles cybersecurity vulnerabilities and exposures, or CVEs, listed in National vulnerability database. New risk-based model will allow NIST to manage current CVE volume while modernizing the NVD for long-term sustainability. Under the new model, NIST will focus on an “enrichment list,” centralizing efforts around flaws found in software used within the federal government.

NIST handled some 42,000 instances in 2025,and said that increased productivity is “not enough to keep up with growing submissions” and confirmed it will now focus only on the most critical CVEs.

Enrichment list of NIST

• Software systems deemed critical by the Biden-signed Executive Order on bolstering US cybersecurity
• Vulnerabilities appearing in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) Catalog.
• NIST will add details, or “enrich,” those CVEs that meet certain criteria
• CVEs that do not meet those criteria will still be listed in the NVD but deemed as “lowest priority” and will not be immediately enriched by NIST.

The aim of NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists that mostly assisted cybersecurity professionals prioritize and mitigate vulnerabilities.

Starting on April 15, 2026, we will prioritize the following CVEs for enrichment:

• CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
  • Our goal is to enrich these within one business day of receipt
• CVEs for software used within the federal government
• CVEs for critical software as defined by Executive Order 14028

Impact on Global cybersecurity community

With the new model, NIST will no longer routinely provide separate severity scores when one has already been provided. Modified CVEs will be reanalyzed only if changes materially affect enrichment data.

Backlogged CVEs published before March 1 will be moved into the “Not Scheduled” category. Updated status labels and dashboard reporting will provide users with real-time visibility into CVE processing.

Those for software used within the federal government and those defined as critical under Executive Order 14028. CVEs outside these categories will still be listed but marked “Not Scheduled.”

Every year there is surge in rising CVE submissions and this grew 263% between 2020 and 2025, with early 2026 volumes also tracking higher than the same period last year and the volume of incoming data has outpaced its ability to process every record, necessitating the changes.

Now NIST will be prioritizing critical CVEs, strengthen its workload management and stabilize the program. This will subsequently automate its systems and enhances workflows to ensure long-term sustainability.

Submissions during the first three months of 2026 are nearly one-third higher than the same period last year. To support the transition in next phase NIST has updated its NVD Dashboard with real-time processing metrics and clearer status labels.

For Other CVE’s

Backlogged CVEs published before March 1 will be moved into the “Not Scheduled” category. Updated status labels and dashboard reporting will provide users with real-time visibility into CVE processing.

This will reduce duplication of effort and allow NIST to focus on their resources more effectively. Users can request that we provide a separate severity score for specific CVEs by emailing us at the address above.

As per NIST By evolving the NVD to meet today’s challenges, we can ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities. We appreciate the continued collaboration of our partnering agencies and the user community as we make these necessary adjustments”.

This decision by NIST may leave organizations outside the US more exposed to cyber risk as significant amount of vulnerabilities wouldn’t have any clear path .

Sources: NIST Updates NVD Operations to Address Record CVE Growth | NIST