Key Takeaway: On April 15, 2026, NIST formally ended its commitment to fully enrich every CVE, citing a 263 percent surge in submissions between 2020 and 2025 and a Q1 2026 rate already running roughly a third higher than Q1 2025. Going forward, the National Vulnerability Database prioritizes CVEs in CISA’s Known Exploited Vulnerabilities catalog, federal-government software, and Executive Order 14028 critical software. For Algerian SOCs, the practical message is that exposure visibility and KEV-driven triage now matter more than waiting for complete metadata.
What NIST actually changed
The April 15, 2026 announcement was not a procedural tweak. NIST said the NVD will move to a risk-based enrichment model. CVEs added to CISA’s Known Exploited Vulnerabilities (KEV) catalog will be enriched within roughly one day. CVEs in software used inside the federal government and CVEs in critical software defined by Executive Order 14028 are also prioritized. Everything else is now subject to enrichment “as resources allow,” and any backlogged CVE with an NVD publish date earlier than March 1, 2026, that is not in KEV has been moved into a Not Scheduled category.
Two consequences are concrete. First, NIST will no longer routinely provide a separate severity score when the CVE Numbering Authority that submitted the entry already supplied one. Second, modified CVEs will only be re-analyzed if NIST is aware of a change that materially affects enrichment. Defenders can email [email protected] to request specific lower-priority enrichments, but the default has flipped from comprehensive to selective.
The driver is volume. CVE submissions rose 263 percent between 2020 and 2025. NIST enriched nearly 42,000 CVEs in 2025, which is 45 percent above its previous record, and still could not keep up. The first three months of 2026 came in roughly a third higher than the same period in 2025. Comprehensive enrichment, in plain math, is no longer a solvable problem at current resourcing.
Why this hits Algerian SOCs particularly hard
Many Algerian and broader regional security teams still structure vulnerability management around a familiar sequence: vendor advisory arrives, CVE publishes with full metadata and CVSS score, scanner output flags the affected assets, the SOC patches by severity. That model assumed someone else would do the enrichment work before the team had to act. After April 15, 2026, that assumption is partially broken.
The result is a workflow gap. If a team is waiting for a CVSS base score before deciding whether to patch, and the score never appears because the CVE was never queued for full enrichment, the patch decision drifts. Meanwhile, attackers do not wait. CISA continued adding to the KEV catalog throughout 2026: eight new flaws on April 20, including three Cisco Catalyst SD-WAN Manager vulnerabilities; seven added on April 13; five added on March 20; and federal remediation deadlines spanning April and May 2026 under Binding Operational Directive 22-01. None of those entries waited for full NVD enrichment to be exploited or to require action.
Advertisement
What KEV is actually for
CISA’s KEV catalog is narrower and stricter than the full CVE list. Inclusion requires evidence of active exploitation in the wild, which is a much higher bar than a public severity score. That is what makes KEV useful: every entry is a signal that attackers are using the weakness now, not a theoretical risk waiting for someone to validate the score. NIST’s April 15 decision implicitly endorses that bar by tying its priority enrichment queue directly to KEV inclusion.
For Algerian defenders, the operational shift is straightforward to describe but harder to implement. Treat KEV inclusion as a top triage signal independent of CVSS. Maintain a current inventory of internet-facing assets and software versions so a KEV alert can be matched to actual exposure within hours, not days. Separate true emergency patching from routine maintenance instead of letting them share a single queue. And accept that a missing or delayed enrichment record is not the same as low urgency.
Practical changes for the next quarter
A reasonable adoption plan looks like this. First, subscribe directly to the KEV feed and build alerting on new additions, with a defined triage SLA. Second, audit external attack surface: domains, exposed services, edge devices, third-party SaaS that holds Algerian data. The point is to know within a working day whether a freshly-KEV-listed flaw touches your environment. Third, build a parallel feed from vendors of the platforms you actually run, since vendor advisories increasingly carry exploitation context that NIST will not be enriching for you. Fourth, document a clear escalation path when a CVE has no NVD score and no clear severity but is in KEV; that path is the new emergency lane.
Two adjacent industry threads support this direction. Google’s Security Blog has been pushing Device Bound Session Credentials and other cookie-protection work to address the credential-theft chain that often follows initial exploitation. CrowdStrike’s exposure-evaluation work argues that defenders need to compress the gap between KEV-listed flaw and confirmed environmental exposure. Both reinforce the same point: in 2026 the bottleneck is not “is this severe,” it is “are we exposed.”
What this looks like for Algeria longer term
The longer-term implication is that vulnerability management becomes a local-judgment discipline, not a metadata-consumption discipline. Algerian organizations that build internal capacity for exploit-aware triage, surface mapping, and exposure context will move faster than peers still waiting for perfect CVE records. The new normal also opens space for managed security providers serving the Algerian market: KEV-driven triage and exposure mapping are exactly the kind of high-value, recurring services that small in-house SOCs cannot fully staff alone.
NIST’s shift is best read as a forced honesty about the old model. The CVE pipeline produces too much volume for any single agency to enrich comprehensively. Algerian teams that adapt will find their patch queues tighter and their incident response faster. Teams that do not adapt will keep waiting for metadata that may never arrive while attackers keep working from KEV-listed flaws that are already public.
What Algerian SOC Teams Should Do This Quarter
The operational changes required are concrete and sequenced. None of them requires budget approval for new tools — they are process changes that run on top of existing infrastructure. The order matters: triage rules first, then asset context, then executive communication.
1. Rebuild the Triage Queue Around KEV, Not CVSS
The default scanner output in most Algerian enterprise environments ranks vulnerabilities by CVSS base score pulled from the NVD. After April 15, 2026, that default is broken for a growing share of records. Security teams should update their SIEM or vulnerability-management platform rules to weight CISA KEV catalog membership as the primary sort key, with EPSS (Exploit Prediction Scoring System, maintained by FIRST) as the secondary input. A KEV entry with an EPSS score above 0.5 means both that attackers are actively using the flaw and that its exploitation characteristics are well-documented. That combination warrants immediate action regardless of whether the NVD record carries a complete CVSS score. CISA refreshes KEV multiple times per week; a scheduled API pull or RSS alert can feed the updated catalog directly into ticketing workflows without manual intervention. The goal is a queue where the top 20 items are always the most immediately dangerous, not the most completely scored.
2. Map Your External Attack Surface on a Weekly Cadence
KEV-driven triage is only actionable if the team can answer, within a working day, whether a freshly listed flaw touches their environment. That requires an asset inventory that is current, not quarterly. For Algerian organizations — particularly banks, telcos, and public agencies with complex legacy infrastructure — internet-facing exposure is often broader than IT teams realize. Shadow IT projects, legacy admin portals left on public IPs, third-party SaaS integrations with exposed endpoints, and API gateways added during COVID-era digital acceleration all expand the attack surface beyond the official asset register. Tools like Shodan and Censys provide passive surface views for free or at low cost; Algerian managed-security providers increasingly offer continuous external attack-surface monitoring as a managed service. The 2026 CrowdStrike exposure evaluation framework argues that organizations should be able to match any KEV alert to specific environment exposure within four hours — a realistic bar that requires a current asset registry, not a perfect one.
3. Create a Documented Emergency Lane for KEV-Listed Flaws
The most common failure mode after a process change is ambiguity at the decision point. When a security analyst sees a new KEV addition, they need to know immediately what the escalation path is — who owns the patch decision, what the SLA is, and how to handle it when no CVSS score is present. Algerian organizations should document a two-tier patch governance policy: a standard lane for routine vulnerability management with a 30-day SLA, and an emergency lane for KEV-listed flaws affecting internet-exposed assets, with a 72-hour SLA and explicit escalation to the CISO or IT director. The emergency lane should not be triggered by score — it should be triggered by KEV membership combined with confirmed environmental exposure. This separation is what CrowdStrike calls “operationalizing exposure,” and it is the single change most likely to reduce mean time to remediation for the vulnerabilities that attackers are actually using.
🔗 Related Intelligence
RSA Conference 2026: Key Takeaways for Algerian Security Teams
Algeria Establishes Mandatory Cybersecurity Units in Public Sector
Collaborative Cyber Defense: Why Algeria Needs Open Threat Intelligence Sharing
