CVE Enrichment Is Breaking: NIST’s New Strategy Explained

For years, vulnerability enrichment has been treated as a federal responsibility by default. The assumption was simple. If a vulnerability existed, the National Vulnerability Database would eventually make it actionable.

At a January 2026 meeting of the Information Security and Privacy Advisory Board, the National Institute of Standards and Technology signaled a strategic shift in how it views the future of the NVD.

“We’ve been doing more and more thinking about the National Vulnerability Database and, strategically, how we’re planning on moving forward,” Jon Boyens, the acting chief of NIST’s Computer Security Division, told members of the agency’s Information Security and Privacy Advisory Board during a recent quarterly meeting.

That statement marks a turning point. NIST is no longer positioning the National Vulnerability Database as a universal enrichment layer for every common vulnerabilities and exposures (CVE). Instead, it is preparing to narrow its role and push responsibility into the broader ecosystem. For security leaders, this is not a procedural tweak. It changes how risk gets interpreted, prioritized, and defended against.

Why CVE Enrichment Stopped Scaling

The CVE system has always had two distinct functions. Assignment and enrichment. Assignment is handled by MITRE and a global network of CVE numbering authorities. That part, while imperfect, largely works. Enrichment is where the strain sits.

NIST’s strategic review of the NVD, which adds detailed information to flaws listed in the federally funded CVE catalog, comes as cybersecurity experts increasingly question the government’s role in managing the CVE ecosystem. 

NIST, for years, has been unable to keep up with the flood of vulnerabilities requiring analysis, and a 2025 controversy over a near-lapse in government funding for the CVE catalog intensified concerns about the fate of a critical cybersecurity resource.

Moving forward, NIST will begin prioritizing which vulnerabilities it enhances based on several factors, including whether a vulnerability appears in the CISA’s known exploited vulnerabilities catalog, whether it exists in software that federal agencies use, and whether it exists in software that NIST defines as critical.

NIST’s NVD takes published CVEs and adds the metadata that security teams depend on. CVSS scores. CPE mappings. References. Context. That work is labor-intensive and increasingly manual, even when automation assists.

The problem is volume. Nearly 50,000 CVEs were published in 2025, driven by cloud software sprawl, open source reuse, and accelerated release cycles. That growth curve has been visible for years. Funding and staffing did not keep pace.

Multiple independent analyses show that more than 70 percent of CVEs published since early 2024 remain unenriched. Not delayed. Missing. For vulnerability management tools, that gap is existential. Without CVSS or CPE data, scanners cannot reliably identify exposure or prioritize remediation. Risk does not disappear. It becomes opaque.

A Risk-Based Pivot: Not Universal Coverage

Kevin Greene, chief cybersecurity technologist for the public sector at BeyondTrust, describes the issue as structural rather than temporary:

“The funding problem is nearly a decade old. When I was at DHS S&T, after learning about the funding and resource challenges, I reached out to fund research and development (R&D) into Natural Language Processing (NLP) to automate vulnerability collection. The goal was to reduce the burden on human analysts and create a timely, quality dataset for exploits and patches, as the NVD was—and remains—the government’s source of truth for vulnerability information.”

“Today,” he adds’ “the NVD’s model is still tied directly to the NIST cybersecurity budget, which faced a 12% cut in FY25/26. While CISA has made a considerable commitment to the CVE program, the establishment of the CVE Foundation (a 501(c)(3) nonprofit) is the necessary next step. It ensures a multi-stakeholder approach by inviting funding from international government entities and industry partners, finally providing a pathway to decouple the program from federal funding if the government chooses to reallocate funding to other programs. To make this work and stabilize these resources, we need industry partners to provide financial support and in-kind funding to ensure the CVE program continues to provide actionable vulnerability intelligence required to predict and manage vulnerability risk effectively.”

NIST’s new posture is explicit. Going forward, it will prioritize which vulnerabilities receive federal enrichment. The criteria are pragmatic. Whether the vulnerability appears in the cybersecurity and infrastructure security agency’s known-exploited vulnerabilities catalog. Whether it affects software used by federal agencies. Whether it exists in software, NIST defines as critical under its executive order guidance.

From a policy perspective, it makes sense. Federal resources should focus on where exploitation is active or where national risk concentrates. From an operational perspective, it creates uneven visibility for defenders who have built programs assuming NVD coverage is comprehensive.

A Clearer Division Of Labor and A Hard Trade-Off

As NIST reassesses what it can realistically sustain, the agency is moving away from the assumption that the federal government can serve as a universal enrichment layer for every published vulnerability. Instead, it is redefining its role as one of prioritization and coordination, with greater responsibility pushed outward to the broader CVE ecosystem.

Chrissa Constantine, senior cybersecurity solution architect at Black Duck, frames the change as a clearer division of labor:

“NIST’s National Vulnerability Database (NVD) has served as an enrichment layer on top of CVEs by adding standardized context that many security teams rely on for triage and automation, but NIST has publicly acknowledged that the volume of incoming CVEs has outpaced what its current enrichment model can sustainably analyze at full fidelity. Based on NIST’s recent public remarks, the direction is toward a more explicitly risk based approach and a clearer division of labor across the ecosystem rather than an assumption that every CVE will receive the same level of downstream enrichment from the federal government. NIST has described enrichment as labor intensive and not scalable at current submission levels, and it has indicated it will prioritize enrichment using factors such as whether a vulnerability is included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, whether the affected software is used by federal agencies, and whether the software meets criteria NIST defines as critical.”

The contradiction is unavoidable. Risk-based prioritization improves focus, but it weakens standardization. Two things the ecosystem has relied on simultaneously.

When Enrichment Fails, Everything Downstream Bends

The practical impact of missing enrichment shows up far from policy discussions. It hits the mechanics of defense.

Without reliable CPE mappings, organizations cannot determine which software versions are affected. SBOM initiatives stall. VEX assertions lose meaning. Vulnerability management teams spend time validating exposure manually instead of remediating.

Greene highlights the compounding risk. Attackers are exploiting vulnerabilities faster. Time to exploit continues to shrink. When defenders lack timely enrichment, residual risk accumulates silently in large, complex environments.

This is not evenly distributed pain. Large enterprises with multiple data feeds can compensate by triangulating vendor intelligence, exploiting telemetry, and KEV signals. Smaller organizations and regulated environments often cannot. The unevenness introduces a new form of systemic risk.

Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, points to structural weaknesses that have existed for years but are now becoming operationally visible:

“The CVE’s governance program operates as an annual contract renewal and is not a statutory program with permanent authorization. This translates to successive contract renewals through appropriations cycles, which are subject to budget cuts, administrative priorities, and bureaucratic delays. Additionally, the CVE program has no formal international participation in governance decisions. This absence led Europe to develop the GCVE.

(Global CVE Allocation System) as an alternative, creating risk of system fragmentation and further instability. If CVE and GCVE operate with different prioritization rules, different enrichment standards, and disparate governance structures, the standardization that made vulnerability identification valuable weakens. This would translate organizations to track multiple identifier systems, increasing rather than decreasing vulnerability management complexity.

In short, regional alternatives emerging in response to the CVE program instability suggests that decentralized governance may better suit a global threat landscape, but decentralization without interoperability standards creates new problems and exacerbates complexity.”

Pushing Enrichment Upstream

NIST has been clear about its intent to shift more enrichment responsibility toward CVE Numbering Authorities and vendors. Guidance will follow. Possibly a consortium model for the NVD itself.

Conceptually, this aligns incentives. Vendors know their products best. CNAs are closest to disclosure. Enrichment closer to the source should improve timeliness.

In practice, it introduces quality variance. Dani describes the emerging problem succinctly. If CISA marks a CVE as high impact, NIST has not enriched it, and a commercial provider assigns a different CVSS score, which signal governs prioritization. 

Current Flaws:

The CVE program has two distinct operations:

1. CVE Assignment

MITRE and 149 CVE Numbering Authorities (CNAs) worldwide assign unique CVE identifiers to newly discovered vulnerabilities.

2. NVD Enrichment

NIST takes published CVEs and adds critical contextual metadata that makes them actionable for security teams.

Of these two operations, CVE assignment remains relatively functional as CNAs continue assigning CVEs. However, vulnerability enrichment is the point of contention today. 

What “Sustainable” Could Look Like:

A sustainable model needs to reduce single-sponsor fragility while improving incentives for producing high-quality, standardized vulnerability metadata close to the point of disclosure. At the program level, the most realistic direction is a hybrid governance and funding approach that combines predictable multiyear public funding for baseline operations with structured private sector participation, since CISA has already telegraphed interest in diversified funding mechanisms and deeper partnerships, and the 2025 near lapse highlighted why annual renewals create systemic risk. 

At the enrichment level, NIST’s stated intent to shift more enrichment responsibility toward CNAs implies the partnership must include clearer standards, implementation guidance, and conformance expectations so enrichment is more consistent across issuers, not just redistributed. The NVD program’s own public discussion of a consortium model is a useful reference point here, because it suggests a forum where government, industry, and other stakeholders can collaborate on the research, tooling, and methods that make enrichment more scalable and interoperable.

In practice, a durable public-private arrangement would likely have three characteristics. First, stable baseline funding that is appropriated or contractually committed on a multiyear horizon for the core identifier and publication functions, reducing the risk of last-minute continuity events. 

Second, a governance model that is transparent about decision rights, service level objectives, and change management so ecosystem participants can plan for shifts in scope, such as NIST’s move toward prioritized enrichment rather than universal enrichment. 

Third, shared technical standards and incentives that push higher quality metadata upstream, including stronger expectations for CNA provided affected product data and references, while allowing specialized downstream providers to compete on analytics, scoring, and prioritization if they interoperate cleanly with the core CVE identifier.

Greene and Dani both argue for structured private sector participation. Software vendors and security vendors derive commercial value from CVE data. A tiered contribution model, potentially supplemented by licensing for premium enrichment services, reflects that reality. Core identifiers should remain free. Enhanced context can be market-supported.

This is uncomfortable territory for a system long treated as a public good. It may also be the only viable path forward.

What Security Leaders Should Do Now

For decision makers, the implication is clear. Treating the NVD as a single source of truth is no longer defensible.

Programs need to assume enrichment gaps by design. Exploitation-informed prioritization should not be optional. KEV, vendor advisories, and third-party intelligence must be integrated intentionally, not opportunistically.

Equally important, governance risk belongs in the threat model. Funding instability, data quality variance, and ecosystem fragmentation are now operational concerns. Not abstract policy debates.

NIST’s strategy is rational given the constraints it faces. It is also a reminder that vulnerability management has crossed a threshold. The system that scaled when CVEs numbered in the thousands is not the system we are operating today.

FAQs

1. Why is NIST changing how it handles CVE enrichment now?

NIST can no longer scale universal enrichment as CVE volumes surge. Budget constraints, staffing limits, and a sharp rise in disclosed vulnerabilities have forced a shift toward risk-based prioritization rather than blanket coverage.

2. What does NIST’s new CVE enrichment strategy actually prioritize?

NIST is prioritizing vulnerabilities that are actively exploited, used in federal environments, or classified as critical software. This aligns enrichment efforts with real-world risk instead of theoretical exposure.

3. How does reduced NVD enrichment impact enterprise vulnerability management programs?

Enterprises can no longer rely on the NVD as a complete source of truth. Gaps in CVSS scores and CPE mappings increase manual validation, slow remediation, and require integrating multiple intelligence sources to assess risk accurately.

4. Why is CVE governance and funding becoming a business risk, not just a policy issue?

The CVE program operates on renewable contracts rather than permanent authorization. This introduces continuity risk that directly affects security tooling, compliance reporting, SBOM workflows, and board-level cyber risk posture.

5. What should CISOs and security leaders do differently as CVE enrichment becomes fragmented?

Security leaders should assume enrichment gaps by design, prioritize exploitation-based signals like KEV, diversify data sources, and treat CVE governance instability as part of the operational threat model.

To participate in upcoming interviews, please reach out to our CyberTech Media Room at info@intentamplify.com