Introduction
On April 15, the National Institute of Standards and Technology (NIST) announced a significant shift in how it handles the National Vulnerability Database (NVD). The new prioritized enrichment model means that while most CVE records will still be published, fewer will receive the detailed metadata—such as CVSS scores, CPE mappings, and CWE classifications—that container scanners and compliance programs have long depended on. This change formalizes a trend that has been evident over the past two years, and it now forces security teams to rethink their vulnerability management workflows.
What Changed on April 15
NIST now categorizes CVEs into two broad buckets: those that receive full enrichment and those that are moved to a “Not Scheduled” status. The decision affects both new submissions and existing unenriched CVEs published before March 1, 2026. Organizations can still request manual enrichment, but there is no guaranteed timeline.
The Three Enriched Categories
Only three types of CVEs will continue to receive full enrichment:
- CISA’s Known Exploited Vulnerabilities catalog: CVEs in the KEV list are enriched within one business day.
- Federal government software: Any CVE affecting software used by the U.S. federal government remains fully processed.
- Critical software under EO 14028: Vulnerabilities affecting software deemed critical by Executive Order 14028 are also prioritized.
All other CVEs are now assigned a “Not Scheduled” status, meaning NIST has no current plan to enrich them. This includes the vast majority of vulnerabilities that container security tools previously relied on for scanning and prioritization.
How to Request Enrichment
If your organization needs a CVE enriched, you can email nvd@nist.gov. However, NIST does not provide a service-level agreement, so you may not receive a timely response. Additionally, NIST has stopped duplicating CVSS scores when the submitting CNA provides one, further reducing the enrichment load.
Historical Context: A Drift That Became Official
For years, NVD served as the authoritative secondary layer on top of CVE data. Security programs built scanning, prioritization, and SLA workflows around the assumption that NVD would enrich every CVE. But the writing has been on the wall for some time. The volume of CVE submissions has skyrocketed, and NIST’s resources have not kept pace. The April 15 announcement simply makes explicit what was already happening quietly.
The Volume Behind the Decision
NIST cited a 263% increase in CVE submissions between 2020 and 2025. The first quarter of 2026 ran roughly one-third higher than the same period a year earlier. Several factors drove this surge:
- More CNAs: The number of CVE Numbering Authorities has grown significantly.
- Open source disclosure: More open source projects now run their own vulnerability disclosure processes.
- Improved tooling: Automated tools surface issues that would not have reached CVE status a few years ago.
This explosion in volume made it impractical for NIST to maintain full-coverage enrichment. The agency chose to focus its limited resources on the most critical vulnerabilities, leaving the rest in a limbo state.
Implications for Container Security
Container security programs are among the hardest hit. Scanners that rely on NVD metadata to assign severity scores, identify affected software via CPE, and classify vulnerability types (CWE) will now find many CVEs lacking this information. This breaks automation workflows that depend on consistent enrichment, such as:
- Automated prioritization: Without CVSS scores, tools cannot rank vulnerabilities by severity.
- Software bill of materials (SBOM) analysis: Missing CPE mappings make it harder to match vulnerabilities to components.
- Compliance and SLA tracking: Many compliance frameworks require timely remediation based on CVSS scores, but those scores may no longer be available.
Programs that assumed NVD would always be the trusted source for enrichment data must now adapt. The shift may accelerate adoption of alternative vulnerability scoring systems, such as the CVSS provided by the original CNA, or third-party enrichment services.
Recommendations for Your Security Program
Audit Your Current Dependencies
Review which tools and workflows rely on NVD enrichment. Identify where missing CVSS, CPE, or CWE data would cause breaks.
Leverage CNA-Provided Scores
Many CNAs now provide their own CVSS scores. Configure your scanners to accept these scores when NVD enrichment is absent.
Explore Alternative Enrichment Sources
Consider using threat intelligence feeds, commercial vulnerability databases, or open-source projects that fill the gap left by NIST’s reduced coverage.
Request Enrichment Strategically
Use the NVD enrichment request process sparingly, focusing only on vulnerabilities that truly affect your critical assets. Understand that response times may be long.
Update SLAs and Compliance Matrices
Adjust your internal SLAs to account for the possibility that some CVEs may never receive full enrichment. Define fallback criteria for prioritization.
Conclusion
NIST’s move to narrow NVD enrichment is not a temporary measure; it is a strategic shift to manage an ever-growing flood of vulnerabilities. For container security programs, the key takeaway is clear: the era of relying entirely on NVD for secondary vulnerability data is over. By proactively reassessing workflows, diversifying enrichment sources, and updating policies, teams can maintain robust security without missing a beat.