The National Institute of Standards and Technology (NIST) has fundamentally shifted how the National Vulnerability Database (NVD) enriches CVE data. Starting April 15, 2026, NIST will only fully enrich a subset of CVEs—primarily those in CISA's Known Exploited Vulnerabilities catalog, software used by the federal government, and 'critical software' under Executive Order 14028. All other CVEs will be marked as 'Not Scheduled' and may never receive CVSS scores, CPE mappings, or CWE classifications. This change forces container security programs to reconsider their reliance on NVD as a primary data source for vulnerability scanning, prioritization, and compliance. Below, we break down what this means for your security operations.
What exactly did NIST change on April 15, 2026?
NIST announced a prioritized enrichment model for the NVD. Previously, the NVD aimed to enrich all published CVEs with CVSS scores, CPE mappings, and CWE classifications. Now, only three categories get full enrichment within a defined timeline: CVEs in CISA's Known Exploited Vulnerabilities (KEV) catalog (targeted within one business day), CVEs affecting software used within the federal government, and CVEs affecting 'critical software' per Executive Order 14028. All other CVEs are placed in a 'Not Scheduled' status. NIST will no longer duplicate CVSS scores if the submitting CNA already provides one, and all unenriched CVEs published before March 1, 2026 have also been moved to 'Not Scheduled.' Organizations can request enrichment by emailing nvd@nist.gov, but no service-level timeline applies.
Why did NIST make this change?
NIST cites a staggering 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running roughly a third higher than the same period a year earlier. This surge is driven by more CVE Numbering Authorities (CNAs), more open source projects running their own disclosure processes, and more tooling that surfaces issues that would not have reached CVE a few years ago. The volume overwhelmed NIST's ability to provide full enrichment for every CVE. The change formalizes a drift visible to anyone pulling NVD feeds over the past two years. NIST has now stated plainly that it does not intend to return to full-coverage enrichment. For security programs that built workflows around NVD as the authoritative secondary layer on top of CVE, this assumption needs a structured review.
How does this affect container scanners and compliance programs?
Container scanners and compliance programs have historically relied on NVD's CVSS scores, CPE mappings, and CWE classifications to prioritize vulnerabilities and demonstrate compliance (e.g., for FedRAMP, PCI DSS). With most CVEs now unenriched, scanners may show thousands of vulnerabilities with missing severity scores, making it impossible to sort by risk or meet SLA requirements that depend on CVSS thresholds. CPE mappings are critical for matching software to vulnerabilities; without them, scanners may fail to detect a known CVE affecting a container image. Compliance frameworks often require documented vulnerability management processes that reference authoritative sources like NVD. Programs that assumed full NVD enrichment will need to reassess their detection, prioritization, and reporting pipelines to incorporate alternative data sources or internal enrichment.
What alternative data sources should container security programs consider?
Programs should diversify beyond NVD. Consider direct feeds from CNA communities (e.g., GitHub Advisory Database, GitLab Advisory Database, Open Source Vulnerabilities (OSV) database), which often include CVSS scores and affected package ranges. For commercial products, vendors frequently provide their own advisory feeds with severity ratings. Tools like OWASP Dependency-Check can use multiple databases. Additionally, exploit intelligence feeds (e.g., from CISA KEV, GreyNoise, or commercial threat intel) help prioritize vulnerabilities that are actively exploited. For custom software, internal static analysis combined with manual enrichment can fill gaps. Integrating these sources into your scanner's logic may require changes in how your CI/CD pipeline fetches and normalizes vulnerability data. Some open-source projects are already working on community-enriched CVE databases to compensate for NIST's reduced role.
How should organizations adapt their vulnerability prioritization and SLA workflows?
First, audit your current workflows to identify every place where you assumed NVD would provide CVSS, CPE, or CWE. For each, determine an alternative: use the CNA-supplied score if available, derive a severity from the CVE description via machine learning, or maintain a manual override process for high-impact software. Second, adjust SLAs: instead of 'patch any CVE with CVSS >= 7 within 30 days,' consider SLAs based on exploitability (e.g., CISA KEV inclusion), asset criticality, or threat intelligence. Third, implement a request workflow to NIST for enrichment—but don't rely on it. Use community-driven databases like VulnCheck or Red Hat's OVAL feeds. Finally, update your compliance documentation to reflect that you use multiple authoritative sources, not just NVD. This change may also be a good time to re-evaluate which CVEs you actually track: focus on those affecting your deployed software, not the entire public catalog.
Is NIST completely abandoning enrichment for non-critical CVEs?
Not completely, but the practical impact is severe. NIST will still accept enrichment requests via nvd@nist.gov for any CVE, but with no service-level timeline, so requests may take weeks or months. The 'Not Scheduled' status means the CVE may never be enriched unless it later becomes relevant to federal use or CISA KEV. NIST has also stopped duplicating CVSS scores when the submitting CNA provides one—so if a CNA assigns a score, that may be sufficient for many use cases. However, for CVEs without any score (e.g., from newer CNAs or those that only provide description), enrichment is effectively suspended. This is a permanent shift: NIST has stated it does not intend to return to full-coverage enrichment. Organizations managing container security should treat NVD as one of several sources, not the single source of truth.
What immediate steps should a container security team take?
Immediately assess which CVEs in your current backlog are missing enrichment. Most scanners can show which CVEs lack CVSS or CPE; prioritize manual review for those affecting critical containers. Update your scanner's data source configuration: many tools allow you to add additional advisory databases. Contact your vulnerability management tool vendor to understand how they handle 'Not Scheduled' CVEs. Set up alerts for CVEs added to CISA KEV, as those will still get fast NVD enrichment. Internally, revise your vulnerability prioritization rubric to rely less on numerical CVSS and more on exploit evidence, asset exposure, and business impact. Plan for a recurring review process where you periodically check NVD for status changes on high-priority CVEs. Finally, educate your security and engineering teams about the change so they understand why some CVEs may appear without scores and how that should influence triage.