The National Institute of Standards and Technology has implemented changes to how it processes cybersecurity vulnerabilities and exposures, or CVEs, in its National Vulnerability Database, or NVD, shifting to an enhanced prioritization approach.
Escalating cyberthreats have made government data a primary target in modern conflict. Explore how leaders are responding to these threats at the Potomac Officers Club’s 2026 Cyber Summit on May 21. Register today!
Table of Contents
What Changes Are Being Made?
NIST said Wednesday it has started to prioritize enriching CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, those for software used within the federal government and those defined as critical under Executive Order 14028. CVEs outside these categories will still be listed but marked “Not Scheduled.”
How Will Other CVEs Be Handled?
NIST will no longer routinely provide separate severity scores when one has already been provided, and modified CVEs will be reanalyzed only if changes materially affect enrichment data. Backlogged CVEs published before March 1 will be moved into the “Not Scheduled” category. Updated status labels and dashboard reporting will provide users with real-time visibility into CVE processing.
Why Is NIST Changing Its Approach?
CVE submissions grew 263 percent between 2020 and 2025, with early 2026 volumes also tracking higher than the same period last year. The sharp rise in vulnerability submissions has strained the agency’s capacity to fully analyze each entry. Although NIST reported enriching nearly 42,000 CVEs in 2025, the volume of incoming data has outpaced its ability to process every record, necessitating the changes.
By prioritizing critical CVEs, the agency aims to strengthen its workload management. This approach will help stabilize the program while NIST automates its systems and enhances workflows to ensure long-term sustainability.
Related Articles
Secretary of the Air Force Troy Meink said acquisition reform will play a central role in strengthening the Department of the Air Force’s ability to compete and maintain dominance during a period of rapid technological change, the U.S. Space Force reported Thursday. As defense leaders continue to emphasize acquisition reform and workforce priorities, forums like the 2026 Air and Space Summit provide an opportunity to stay informed on evolving priorities across the sector. Sign up now for the July 30 event to hear experts discuss the capabilities and trends shaping national security innovation across two critical domains. How Is DAF’s
The National Science Foundation has started seeking proposals for national-scale data infrastructure projects as part of the Integrated Data Systems and Services, or IDSS, program. NSF’s new solicitation underscores continued federal focus on advancing cyberinfrastructure and research capabilities. As government and industry stakeholders track these developments, the 2026 Cyber Summit on May 21 will explore topics, such as artificial intelligence in cyber defense, zero trust, quantum computing and post-quantum cryptography. Register now! What Is the NSF IDSS Program? Launched in August 2025, the IDSS program supports national-scale operational cyberinfrastructure systems and services designed to enable open, data-intensive and AI-driven science
The U.S. Air Force has appointed Meghan Rosso, Marcus Green and Jennifer Robaina to functional roles within the Cyber and Networks Directorate, the Air Force Life Cycle Management Center said Thursday. The appointments align with efforts to integrate leadership across program management, contracting and human resources. “We are fortunate to have such a talented team stepping into these critical roles,” said Brig. Gen. Joshua Williams, program executive officer for the Cyber and Networks Directorate. “Their collective experience and leadership will strengthen how we deliver capabilities, support our workforce and execute our mission for the Department of the Air Force.” Who Is Meghan Rosso? Green