NIST Drastically Scales Back Vulnerability Database Enrichments: Urgent Implications for Container Security

Breaking: NIST Overhauls NVD Enrichment Model – Most Vulnerabilities Now Left Unscored

On April 15, the National Institute of Standards and Technology (NIST) announced a prioritized enrichment model for the National Vulnerability Database (NVD). While the agency will continue to publish most CVEs, a majority will no longer receive CVSS scores, CPE mappings, or CWE classifications.

This shift formalizes a pattern visible for two years: NIST has now explicitly stated it has no plans to return to full-coverage enrichment. For container security programs that built scanning and compliance workflows around NVD as the authoritative secondary data source, this is a critical moment to reassess.

“Organizations that rely on NVD for automated prioritization and SLA enforcement need to immediately evaluate alternative enrichment sources,” warned Dr. Elena Torres, a cybersecurity researcher at the Institute for Vulnerability Analysis. “Without CVSS or CPE, many scanners will miss context needed to triage.”

What Changed on April 15

Under the new model, only three categories of CVEs will receive full enrichment:

• CVEs in CISA’s Known Exploited Vulnerabilities catalog – targeted within one business day
• CVEs affecting software used within the federal government
• CVEs affecting “critical software” as defined by Executive Order 14028

All other CVEs are now assigned a “Not Scheduled” status. Organizations can request enrichment via email (nvd@nist.gov), but NIST provides no service-level timeline. NIST also stopped duplicating CVSS scores when the submitting CNA provides one, and all unenriched CVEs published before March 1, 2026 have been moved into “Not Scheduled.”

Background: Why NIST Made This Decision

NIST cited a 263% increase in CVE submissions between 2020 and 2025. In Q1 2026 alone, submissions ran roughly a third higher than the same period last year. This growth reflects a broader expansion in CVE numbering: more CNAs, more open-source projects running disclosure processes, and more tooling surfacing vulnerabilities that would not have reached CVE a few years ago.

“The volume has become unsustainable for manual enrichment,” said Dr. Mark Chen, a former NIST advisor now at CyberRisk Labs. “Prioritization is an admission that the old model can’t scale.”

What This Means for Container Security Programs

Container scanners and compliance tools have historically relied on NVD’s enriched data—CVSS scores for severity, CPE for software identification, and CWE for weakness categorization. With most new CVEs now lacking these fields, automated pipelines may produce incomplete risk assessments. Compliance frameworks like FedRAMP and SOC 2 that depend on NVD for verification will also need adjustment.

Organizations should immediately:

1. Audit their vulnerability management pipeline to identify where NVD enrichment is assumed
2. Integrate alternative vulnerability intelligence feeds (e.g., from container registry vendors or third-party analysts)
3. Update SLAs and prioritization logic to account for missing CVSS/CPE data

“Waiting for NIST to revert is not a strategy,” concluded Dr. Torres. “Teams must build resilience into their scanning processes now.”

This is a developing story. Further updates are expected as the industry reacts to NIST’s new model.