NIST Shifts NVD to Risk‑Based Enrichment, Limiting Coverage to Highest‑Risk CVEs
What Happened – NIST announced that the National Vulnerability Database will no longer fully enrich every CVE entry. Only CVEs that meet high‑risk criteria (e.g., listed in CISA’s KEV catalog, affect federal systems, or fall under Executive Order 14028 critical software) will receive detailed descriptions, CVSS scores, and configuration data. All other submissions will be recorded as “Not Scheduled.”
Why It Matters for TPRM –
- Third‑party risk assessments often rely on NVD data; reduced enrichment may hide critical details for lower‑profile vulnerabilities.
- Organizations must verify that their vendors’ vulnerability‑management processes do not depend solely on NVD enrichment.
- The change highlights the growing volume of CVEs and the need for internal prioritization frameworks.
Who Is Affected – All enterprises that consume NVD data for vulnerability management, especially those in TECH_SAAS, CLOUD_INFRA, FIN_SERV, and any sector that uses software covered by EO 14028 (e.g., IAM, OS, browsers, endpoint security).
Recommended Actions –
- Review your vulnerability‑management tooling to ensure it can ingest raw CVE feeds without relying on NVD enrichment.
- Prioritize internal scoring for CVEs that NVD will label “Not Scheduled.”
- Engage with vendors to confirm they have supplemental sources (e.g., vendor advisories, MITRE ATT&CK) for low‑risk CVEs.
Technical Notes – The shift is driven by a 263 % rise in CVE submissions (2020‑2025). NIST will stop publishing its own CVSS scores, instead using scores supplied by CVE Numbering Authorities. Enrichment will focus on CVEs in CISA’s Known Exploited Vulnerabilities (KEV) catalog, federal‑government‑used software, and software defined as critical by EO 14028 (IAM, OS/hypervisors, browsers, endpoint security, network control, etc.). Source: Help Net Security