NIST’s NVD Shift: Vulnerability Triage Has Changed

What NIST actually changed

The April 15, 2026 announcement, “NIST Updates NVD Operations to Address Record CVE Growth,” replaces the assumption that every CVE will eventually receive complete NVD metadata with an explicit prioritization framework. Going forward, three categories of CVEs receive enrichment attention: vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, with a target of enrichment within one business day; CVEs affecting software used inside the federal government; and CVEs touching the “critical software” definition codified in Executive Order 14028, which covers products with elevated privileges, networking control, or sensitive data access.

Everything else gets a new “Lowest Priority” label. These CVEs are still published to the NVD, but they are not scheduled for immediate enrichment. NIST has also stopped routinely publishing its own severity score when the CVE Numbering Authority that filed the record already supplied one — a reduction in duplicated work that effectively delegates more scoring authority to vendors and CNAs. Backlogged CVEs with an NVD publish date earlier than March 1, 2026 have been moved into a “Not Scheduled” pool, with the exception of any KEV entries, which NIST has always prioritized. Stakeholders can still request enrichment of a deprioritized CVE by emailing [email protected], but the default is no longer “we will get to it.”

Why the queue finally broke

The numbers explain the policy. CVE submissions grew 263% between 2020 and 2025. NIST enriched roughly 42,000 records in 2025, a 45% increase over any prior year, and yet the queue continued to lengthen. Submissions in the first quarter of 2026 are running about one-third higher than the same window in 2025. No reasonable expansion of analyst headcount catches a curve that steep, and the productivity gains NIST has already extracted suggest the limit is structural rather than budgetary.

The shift also reflects how the CVE program itself has matured. More than 450 CVE Numbering Authorities now file records directly, including major vendors that increasingly publish their own CVSS scores and CWE classifications. When the CNA’s metadata is high quality, the NVD’s traditional value-add — re-scoring and re-classifying — is duplicative. By stepping back from blanket enrichment, NIST is implicitly acknowledging that the ecosystem has more reliable upstream data than it did when the NVD became the de facto canonical source in the early 2010s.

What changes for security operations

For defenders, the practical consequence is that the daily vulnerability queue can no longer be treated as a sorted list. CVE feeds, scanner outputs, and vendor advisories will continue to surface vulnerabilities, but a meaningful share of those records will now ship with partial or unscored NVD metadata for days, weeks, or longer. Programs that trigger on a CVSS threshold pulled from the NVD will produce noisier and less actionable output. Programs that trigger on the presence of a CVE in CISA’s KEV catalog, combined with internal asset reachability and exposure data, will produce sharper output.

CrowdStrike, Tenable, Qualys, and other vulnerability management vendors have spent the past two years pushing exposure-aware prioritization — combining CVE feeds with attack-path analysis, exploit intelligence, and reachability data. NIST’s policy change reframes that work from optional differentiation to operational necessity. Mature programs will lean harder on KEV, the EPSS exploit prediction score maintained by FIRST, vendor-published advisories, and internal context about which assets are internet-facing, business-critical, or already showing signs of targeting. Public databases become inputs to judgment rather than substitutes for it.

The change also has implications for compliance frameworks that reference the NVD. PCI DSS, HIPAA security rule audits, and federal FISMA programs all assume that scanner output mapped to an NVD-scored CVE is sufficient for triage decisions. As more records carry the “Lowest Priority” label, audit teams will need clearer documentation of how the organization interprets unscored records, and risk committees will need a written policy on which compensating data sources fill the gap.

What mature programs should do next

The first move is mechanical: rebuild prioritization queries to weight KEV presence above raw CVSS score. CISA refreshes the KEV catalog several times per week, and a CVE entering KEV is now the strongest single signal that a real exploitation campaign is under way. Adding EPSS as a secondary input gives defenders a probabilistic exploit forecast for vulnerabilities that have not yet reached KEV.

The second move is contextual. Asset inventories, especially for internet-facing systems, need refresh cycles measured in days rather than quarters. SOC and infrastructure teams should agree on a small set of business-criticality tags so that “critical” actually means something downstream of the patch decision. Compensating controls — segmentation, WAF rules, EDR policies — need to be tracked alongside vulnerability data so that the question becomes “is this exposure actually reachable and exploitable in our environment?” rather than “what does the score say?”

The third move is communicative. Executives who are used to seeing CVSS-weighted heat maps will need a different vocabulary. Some medium-severity CVEs will now warrant immediate action because they are in KEV and reachable from the internet; some high-severity CVEs will sit unpatched longer because exposure analysis shows no realistic path to exploitation. CISOs that can explain that distinction in board-room language will defend their programs better than those still presenting raw severity counts.

NIST’s April 15, 2026 decision is best read not as a retreat but as a modernization event. The era when public enrichment alone could organize the vulnerability problem is finished. The next era of vulnerability management belongs to teams that can reason about exposure faster than the queue grows.

What Mature Security Programs Should Do Next

The response to NIST’s NVD shift is not a single tool purchase or a configuration change. It is a recalibration of three interconnected practices: how the queue is sorted, how context is maintained, and how decisions are communicated upward.

1. Reweight the Queue: KEV First, EPSS Second, CVSS Third

The mechanical first step is a triage policy change. Rebuild prioritization queries in your SIEM, vulnerability scanner, or ticketing system so that the presence of a CVE in CISA’s KEV catalog is the top sort key. KEV membership means real-world exploitation is already occurring — the wait for NVD enrichment is irrelevant because the attack is live. Add EPSS as the second dimension: a CVE with an EPSS score above 0.5 has a higher-than-median probability of being exploited within 30 days, regardless of CVSS severity. CVSS should remain as a third-order signal for triage among equal-priority items, not as the primary gate. CrowdStrike’s 2026 exposure evaluation data shows that programs that made this reweighting in Q1 2026 reduced their mean time to patch on actively exploited vulnerabilities by 34% compared to programs that retained CVSS-first sorting. The policy change takes a day to implement; the operational benefit is immediate.

2. Build the Local Context Layer That NVD No Longer Provides

NIST’s retreat from universal enrichment is, paradoxically, an invitation to build something more useful: local exposure context. An internet-facing asset inventory updated weekly, enriched with business-criticality tags, provides a matching layer that no public database can supply. When CISA adds a new KEV entry, the first question for any security team should not be “what is the score?” but “do we have this product exposed to the internet, and what business process does it support?” Teams that can answer that question in under four hours have operationalized the transition NIST’s policy change is forcing. The asset inventory does not need to be perfect or comprehensive on day one — a list of public-facing services, edge devices, and internet-accessible admin panels is enough to cover the highest-risk surface. Tenable’s 2026 exposure management research places the median enterprise at 42% coverage of its internet-facing attack surface in real-time visibility tools — meaning more than half of most organizations’ external exposure is invisible until a scan runs. Weekly scan cadence on internet-facing assets, rather than quarterly, is the gap most worth closing.

3. Reframe Executive Risk Communication Around Exploitability

CISOs who still present board-level vulnerability reports as CVSS-weighted heat maps will find themselves explaining why some medium-severity CVEs just jumped the priority queue while high-severity CVEs sit waiting. The reframing is straightforward but requires deliberate language: “This CVE has a score of 6.8 but is actively being exploited in the wild (KEV listed) and is reachable from our customer portal — it is our top remediation priority this week. This other CVE scored 9.1 but is in an internal system with no internet path and EPSS under 0.1 — it will follow our standard 30-day cycle.” That distinction explains why exposure-aware triage produces better security outcomes than score-based queuing. Boards and executive committees increasingly accept this framing: Gartner’s 2026 CISO survey found that 61% of security governance bodies now prefer exploitability-and-reachability framing over raw severity scores for monthly security reports — a shift driven precisely by the kind of NVD enrichment gaps NIST’s April 15 announcement formalized.