NIST Just Stopped Doing Part of Your Job. Now What?
vulnerability-management risk-management ciso
If you built your vulnerability management program around CVSS scores from the National Vulnerability Database, you have a problem. Not because of what NIST just announced, but because of what that announcement reveals.
Starting April 15, 2026, NIST is no longer enriching every CVE that comes through the NVD. With CVE submissions up 263% since 2020, they can’t keep up. Priority CVEs, those in CISA’s Known Exploited Vulnerabilities catalog, software used by the federal government, and critical software under EO 14028, will still get the full treatment. Everything else? Lowest priority. Backlog entries predating March 1, 2026? Moved to “Not Scheduled.”
What actually happened
NIST enriched nearly 42,000 CVEs in 2025. That was 45% more than any prior year. They still fell behind. The volume of vulnerabilities being reported has outgrown the infrastructure designed to evaluate them.
This isn’t a one-time event. It’s a structural problem that’s been building for years. We saw the first version of this crisis in 2023 and 2024 when NVD processing times slowed dramatically. This is the same story, next chapter.
Why this matters even if you don’t touch NVD directly
A lot of security teams don’t pull from NVD directly. They use tools that do. Scanners, vulnerability management platforms, GRC tools. Many of those pull CVSS scores and enrichment data from NVD as a baseline.
If NVD isn’t enriching a CVE, your tool may give you incomplete scoring. Or no scoring at all. That CVE still exists. It might still be in your environment. You just won’t know how bad it is, according to the source you’ve been trusting.
If CVSS was your strategy, you were already behind
Here’s the harder conversation: CVSS scores were never designed to tell you what to fix first in your specific environment. They’re a standardized severity scale. They don’t know your architecture, your threat actors, or what you actually have running.
Using NVD CVSS scores as a prioritization strategy is like using a weather app to decide whether to cross a flooded road. The app tells you it’s raining. It doesn’t know your road.
The teams that will feel this change the least are the ones that already built threat-informed, context-aware vulnerability programs. The ones that will scramble are the ones using CVSS 7.0+ as a ticket-creation trigger.
What to do right now
Start with CISA’s KEV catalog if you haven’t already. It’s free, it’s curated, and NIST is still enriching everything in it. If something is in KEV, it’s being actively exploited. That’s your floor, not your ceiling.
Then look at your tooling. Ask your scanner vendor or vulnerability management platform directly: where does your enrichment data come from? What happens when NVD doesn’t score a CVE? You need a real answer before you’re looking at a data gap during an audit or an incident.
Diversify your threat intelligence. Vendor advisories, EPSS scores (Exploit Prediction Scoring System), exploit availability in the wild, your own asset criticality. These should all factor into how you decide what to patch first, not just a single government database that was always meant to be one input among many.
If you’re in a regulated environment, document this now. Your auditors will ask about your vulnerability management process. “We use CVSS from NVD” is a weaker answer than it used to be. “We use a risk-based approach that incorporates KEV, EPSS, asset criticality, and threat intel” is where you want to be.
The bigger point
This isn’t a failure of NIST. They’ve been transparent about the volume problem and they’re making reasonable triage decisions under real resource constraints. The failure would be treating a government database as a load-bearing wall in a program it was never designed to carry.
Security programs get fragile when they depend on any single data source. NVD was a useful input. It wasn’t a strategy.
Now’s a good time to know the difference.
Questions about building a vulnerability management program that doesn’t break when the inputs change? Let’s talk.
Ready to Secure Your Growth?
Whether you need an executive speaker for your next event or a fractional CISO to build your security roadmap, let's talk.
Consulting services are delivered through Vaughn Cyber Group.
Related Posts
The FFIEC CAT Is Gone. Now What?
The FFIEC retired the Cybersecurity Assessment Tool. Here's what community banks actually need to do now, what examiners are looking for instead, and how to transition without starting from scratch.
Why Your Incident Response Plan Will Fail (And What to Build Instead)
Most IR plans fail not because they're poorly written, but because plans don't survive contact with reality. Here's how to build response capability instead of just documentation.
The Drinking Bird at the Nuclear Plant
Sam Altman wants to give AI full access to everything. Your users will too. Your AI security strategy isn't competing against attackers; it's competing against tedium. Tedium wins.
