The National Institute of Standards and Technology has implemented changes to how it processes cybersecurity vulnerabilities and exposures, or CVEs, in its National Vulnerability Database, or NVD, shifting to an enhanced prioritization approach.
Escalating cyberthreats have made government data a primary target in modern conflict. Explore how leaders are responding to these threats at the Potomac Officers Club's 2026 Cyber Summit on May 21. Register today!
What Changes Are Being Made?
NIST said Wednesday it has started to prioritize enriching CVEs that appear in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, those for software used within the federal government and those defined as critical under Executive Order 14028. CVEs outside these categories will still be listed but marked “Not Scheduled.”
How Will Other CVEs Be Handled?
NIST will no longer routinely provide separate severity scores when one has already been provided, and modified CVEs will be reanalyzed only if changes materially affect enrichment data. Backlogged CVEs published before March 1 will be moved into the “Not Scheduled” category. Updated status labels and dashboard reporting will provide users with real-time visibility into CVE processing.
Why Is NIST Changing Its Approach?
CVE submissions grew 263 percent between 2020 and 2025, with early 2026 volumes also tracking higher than the same period last year. The sharp rise in vulnerability submissions has strained the agency's capacity to fully analyze each entry. Although NIST reported enriching nearly 42,000 CVEs in 2025, the volume of incoming data has outpaced its ability to process every record, necessitating the changes.
By prioritizing critical CVEs, the agency aims to strengthen its workload management. This approach will help stabilize the program while NIST automates its systems and enhances workflows to ensure long-term sustainability.
