Introduction
On April 15, the National Institute of Standards and Technology (NIST) announced a significant change to how the National Vulnerability Database (NVD) enriches Common Vulnerabilities and Exposures (CVEs). Under the new prioritized enrichment model, most CVEs will still be published, but fewer will receive the CVSS scores, CPE mappings, and CWE classifications that container scanners and compliance programs have historically relied upon.
This shift formalizes a trend that has been visible to those pulling NVD feeds for the past two years. The key change is expectation: NIST has now clearly stated that it does not intend to return to full-coverage enrichment. For programs that built scanning, prioritization, and service-level agreement (SLA) workflows around the assumption that the NVD serves as an authoritative secondary layer atop the CVE list, this assumption warrants a structured review.
What Changed
NIST now divides CVEs into three enrichment categories. Only CVEs that fall into one of these groups will receive full enrichment (CVSS, CPE, CWE):
- CISA Known Exploited Vulnerabilities (KEV) catalog: Targeted enrichment within one business day.
- Software used within the federal government: Full enrichment applied.
- Critical software as defined by Executive Order 14028.
All other CVEs are moved to a new "Not Scheduled" status. Organizations can request enrichment by emailing nvd@nist.gov, but no service-level timeline applies. Additionally, NIST has stopped duplicating CVSS scores when the submitting CNA provides one, and all unenriched CVEs published before March 1, 2026 have been moved into the "Not Scheduled" category.
The Driving Factors Behind the Decision
NIST cited a 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running roughly a third higher than the same period a year earlier. This surge tracks with a broader expansion in CVE numbering: more CNAs (CVE Numbering Authorities), more open source projects running their own disclosure processes, and more tooling surfacing issues that would not have reached CVE status a few years ago.
The following table illustrates the increase:
| Year | Published CVEs | Source |
|---|---|---|
| 2023 | [Data not provided in original] | NIST |
With the volume of CVEs growing exponentially, NIST’s decision to focus enrichment on priority subsets stems from resource constraints. The agency needs to ensure the most critical vulnerabilities—those actively exploited or affecting government systems—get prompt attention, while others may wait indefinitely.
Implications for Container Security Programs
Container security tools often rely on enriched NVD data to prioritize vulnerabilities and enforce compliance policies. With fewer CVEs receiving CVSS scores, programs must adapt. Here are key areas to reassess:
Vulnerability Scanning
Scanners that depend solely on NVD enrichment for CVSS scores may miss contextual risk information for many CVEs. Consider augmenting NVD data with alternative vulnerability scoring systems, such as the SSVC (Stakeholder-Specific Vulnerability Categorization) or vendor-provided assessments.
Prioritization Workflows
Traditional workflows that rely on CVSS scores to prioritize patching need revision. Without enrichment, you may need to implement additional logic—such as threat intelligence feeds, exploitability indexes, or asset criticality—to determine which unenriched CVEs matter most.
Compliance and SLAs
If your compliance framework mandates scanning against fully enriched NVD data, the new model may create gaps. Review your compliance requirements: do they specify NVD enrichment, or are other sources acceptable? You may need to update SLAs to reflect that unenriched CVEs will require manual or alternative analysis.
How to Adapt
To maintain effective container security in this new landscape, consider the following actions:
- Diversify data sources: Incorporate vulnerability intelligence from vendors, open source projects (e.g., GitHub Advisory Database), or commercial services.
- Implement risk-based prioritization: Move beyond CVSS alone. Use exploit availability, reachability, and business impact to rank vulnerabilities.
- Request enrichment strategically: For critical CVEs affecting your environment, send enrichment requests to nvd@nist.gov, but plan for delays.
- Update tooling: Ensure your container scanner can handle CVEs with missing or partial enrichment, and flag them for review.
Internal Anchor Links for Quick Navigation
Looking Ahead
NIST’s decision is unlikely to be reversed. The volume of CVEs continues to climb, and enrichment is labor-intensive. Container security programs must evolve to operate with less reliance on NVD’s secondary layer. By embracing a more holistic approach to vulnerability management, teams can maintain strong security postures even as the NVD narrows its scope.