The National Institute of Standards and Technology (NIST) is changing how it manages cybersecurity vulnerabilities in its National Vulnerability Database.
According to an April 15 announcement from the agency, the change means that NIST will “enrich” only certain Common Vulnerabilities and Exposures (CVEs) in the database while leaving others listed in the database but without additional analysis.
Under the new approach, NIST will continue to publish all submitted CVEs in the database.
But it will add detailed information – such as severity scores and product data – only to those that meet specific prioritization criteria. CVEs that do not meet those criteria will be labeled “Not Scheduled” and will not automatically receive additional analysis that would “enrich” the CVE.
The change marks a shift from NIST’s previous practice of attempting to analyze every CVE.
The agency said the new model is designed to help cybersecurity professionals focus on the most critical vulnerabilities while allowing the agency to better manage its workload.
NIST said the move is being driven by a sharp rise in submissions. CVE filings increased 263% between 2020 and 2025, and early 2026 data shows submissions running nearly one-third higher than the same period last year, the agency said.
Even with record output – NIST enriched nearly 42,000 CVEs in 2025 – the agency said it cannot keep pace with demand under its previous model.
Going forward, NIST will prioritize enrichment for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog, with a goal of processing those within one business day.
It will also prioritize vulnerabilities affecting software used by the federal government and software designated as critical under federal policy.
These prioritized CVEs are ones considered to pose the greatest potential for widespread or systemic risk. In contrast, CVEs that fall outside these categories may still be significant but are generally viewed as posing less broad impact, according to NIST.
Users will still have the option to request enrichment for CVEs that are not automatically prioritized, and NIST said it will review those requests and process them as resources allow.
As part of the changes, NIST will also streamline how it assigns severity scores. The agency will no longer routinely generate its own score if one has already been provided by the submitting authority – a move intended to reduce duplication and focus resources on higher-priority work.
NIST is also revising how it handles updates to previously analyzed vulnerabilities. Instead of reanalyzing every modified CVE, the agency will now do so only when changes materially affect the original analysis, though users can request additional review if needed.
CVEs published before March 1, 2026, that have not yet been enriched will be moved into the “Not Scheduled” category and reconsidered later based on the new prioritization criteria.
To improve transparency, NIST is introducing updated status labels and enhancing its public dashboard to reflect CVE processing in real time, along with additional details about workflow and prioritization.