National Institute of Standards and Technology (NIST) has announced a major change to how it manages cybersecurity vulnerabilities in its National Vulnerability Database (NVD), moving to a risk-based prioritization model in response to a sharp rise in CVE submissions. The agency said it will now only enrich vulnerabilities that meet specific high-impact criteria, while all others will still be listed but marked as “Not Scheduled” without additional analysis. The change, which took effect on April 15, 2026, reflects the growing challenge of keeping pace with vulnerability disclosures, which have surged by 263% between 2020 and 2025.

Under the new approach, NIST will prioritize vulnerabilities that appear in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, those affecting software used by the U.S. federal government, and critical software defined under Executive Order 14028. This includes systems with elevated privileges, access to sensitive data or operational technology, and those operating beyond standard trust boundaries.

NIST said the goal is to focus resources on vulnerabilities with the greatest potential for widespread or systemic impact. While lower-priority CVEs may still pose risks, they are considered less critical at a national or ecosystem level. The scale of the challenge is significant. NIST enriching nearly 42,000 CVEs in 2025, a 45% increase over previous years, yet thousands remain without full analysis. Early 2026 data shows submissions continuing to rise, with volumes already one-third higher than the previous year.

As part of the update, NIST will also stop assigning separate severity scores when one is already provided by the CVE Numbering Authority. Additionally, previously unenriched CVEs published before March, 2026, will be moved into the “Not Scheduled” category unless they are included in the KEV catalog.

The changes signal a broader shift in how organizations must approach vulnerability management. Security experts note that relying solely on centralized databases like the NVD is becoming less practical as vulnerability volumes grow.Industry voices suggest the move will push organizations toward more proactive, intelligence-driven security strategies. Rather than attempting to track every disclosed vulnerability, security teams are increasingly expected to prioritize those actively exploited or most relevant to their environments. While the new model may disrupt traditional workflows, it reflects a growing consensus that focusing on real-world risk and exploitability is more effective than maintaining exhaustive but difficult to manage vulnerability records.

Ad Banner

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading