NIST's recent announcement confirmed what many in the industry had anticipated regarding NIST NVD changes. NIST officials had hinted at "rethinking" their role in public statements since January. This has led to a clear policy shift: NIST will now only enrich a select few critical vulnerabilities.
The NVD's New Reality: Understanding NIST NVD Changes
NIST defines 'critical' vulnerabilities as those listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, those in software known to be used by US federal agencies, and CVEs in 'critical software'—a broad category encompassing operating systems, web browsers, security software, firewalls, backup software, and VPNs. For everything else, organizations will largely be on their own for analysis. NIST will also stop providing its own CVSS scores, instead displaying the score initially assigned by the CVE-issuing organization.
NIST has struggled for over two years to keep the NVD updated. The backlog of unenriched CVEs surged from a few thousand in early 2024 to almost 30,000 by the end of 2024. Today, more than 30,000 remain unprocessed.
Recent budget cuts to DHS and CISA further exacerbated the situation. This trend is expected to accelerate with the widespread adoption of AI cybersecurity agents for vulnerability discovery.
The numbers illustrate this trend: CVE submissions grew by 263% between 2020 and 2025. Q1 2026 saw nearly one-third more vulnerabilities reported than Q1 2025. The Forum of Incident Response and Security Teams (FIRST) projected 59,427 CVEs for 2026 (up from over 48,000 in 2025), with some models suggesting the total could exceed 100,000 for the year. NIST enriched nearly 42,000 CVEs in 2025, a 45% increase over any previous year, but the volume simply became unmanageable.
Ultimately, the NVD, in its previous form, simply couldn't keep up.
Why the NVD Broke
The NVD's struggles aren't due to a lack of intent, but rather a capacity overwhelmed by the sheer volume of new vulnerabilities discovered and disclosed, which has far outpaced NIST's ability to process and enrich them. These NIST NVD changes were inevitable.
Each CVE entry, with its required analysis, description, references, and severity score, demands human effort and resources. When the volume of new vulnerabilities grows by hundreds of percent annually without a corresponding budget increase, something has to give. NIST had to choose: either keep a perpetually backlogged, incomplete database, or focus its limited resources on the most critical issues. The latter, while difficult, was the more pragmatic path.
The Impact of NIST NVD Changes: No Single Source of Truth
This policy change, driven by the NIST NVD changes, will have a substantial practical impact. Vulnerability management companies, whose tools and services were built around NVD output, must now find alternative data sources or perform their own enrichment. For security teams, this means a heavier burden. Security teams can no longer simply pull a CVSS score from the NVD and assume it is a neutral, thoroughly vetted assessment.
Many industry experts now agree that there is no longer a single source of truth for vulnerability data. This fragmentation translates to more work for security teams, requiring increased cross-referencing and independent analysis.
A primary concern is the reliance on CNA-provided CVSS scores. Since CVE Numbering Authorities (CNAs) are often the vendors of the affected software, this presents a clear conflict of interest. It is questionable whether a vendor will consistently assign the highest, most accurate severity score to their own vulnerability. Past experience suggests this is not always the case. This shift means vendor-provided scores must be approached with skepticism and validated against other intelligence.
Discussions on platforms like Reddit and at industry conferences have long highlighted the NVD's struggles with backlogs and budget constraints. Many view NIST's decision as a necessary capitulation.
The implications of less detailed analysis are a concern, particularly for organizations that relied heavily on NIST's thorough enrichment. This increased dependence on CNAs for severity scores has also drawn skepticism from various security researchers. This highlights a broader "quantity over quality" issue in CVE disclosures and signals an evolving landscape for vulnerability intelligence. It is anticipated that CISA may take a more direct role, or alternative data sources will emerge to fill the gap left by NIST's reduced enrichment.
The Response: Adapting to a Decentralized Reality
Instead of panic, this situation demands decisive action. Our vulnerability management programs must adapt to this new, decentralized reality with precision and analytical rigor, understanding the full scope of NIST NVD changes.
Immediate operational shifts are paramount. Prioritizing CISA's KEV catalog is not merely a recommendation; NIST's commitment to enriching these within one business day makes them the foundational layer of any responsive program. For the vast majority of CVEs that will no longer receive NIST's comprehensive analysis, organizations must expand internal capabilities to assess and score vulnerabilities. This necessitates a shift towards more manual analysis, dedicated threat intelligence work, and a granular understanding of an organization's specific attack surface and environmental context. Commercial vulnerability management platforms are already evolving, integrating diverse data sources and offering proprietary enrichment, requiring security teams to critically evaluate their current toolsets and their vendors' roadmaps.
Strategically, program adjustments will be essential to navigate this fragmented landscape. Diversifying intelligence sources is no longer optional; relying on a single source for vulnerability data was always a calculated risk, now it is untenable.
Integrating vendor advisories, independent security research blogs, community forums, and commercial threat intelligence feeds provides a more robust and cross-referenced picture. This multi-source approach allows for a more accurate assessment of a vulnerability's true impact, moving beyond potentially downplayed vendor-provided CVSS scores. Furthermore, the focus must pivot to contextual risk. A raw CVSS score is merely a starting point; understanding how a specific vulnerability affects your systems, given your existing controls and compensating factors, is the foundation of effective risk assessment. This analytical depth is crucial when centralized enrichment is absent.
The scale of the challenge also necessitates exploring advanced tooling. NIST itself plans to leverage large language models (LLMs), AI agents, and robotic process automation (RPA) to accelerate its analysis. Security teams should similarly investigate these tools internally to manage the increased manual load.
Early results with LLMs summarizing vendor advisories and extracting key details are promising for initial triage, though human oversight remains critical for validation and contextual application. Finally, collaboration is key. Leaning on industry groups, Information Sharing and Analysis Centers (ISACs), and trusted peers for shared intelligence and collective understanding of emerging threats will be vital in this evolving landscape.
The NVD, as we knew it, has fundamentally changed due to these NIST NVD changes. This isn't a setback, but rather a forced evolution for the entire cybersecurity industry. Organizations that build solid, multi-source intelligence pipelines and strong internal risk assessment capabilities will be better positioned to navigate this new reality.
