NIST Rethinks NVD Enrichment: How Container Security Should Respond

Introduction

On April 15, the National Institute of Standards and Technology (NIST) introduced a prioritized enrichment model for the National Vulnerability Database (NVD). While most CVEs will still be published, fewer will receive the full complement of CVSS scores, CPE mappings, and CWE classifications that container security scanners and compliance frameworks have long relied upon. This shift formalizes a trend that has been evident over the past two years, but the new policy makes it clear: NIST does not intend to return to full-coverage enrichment. For programs that built their vulnerability management workflows on the assumption that the NVD would provide authoritative secondary data for every CVE, this change demands a structured reassessment. The following article breaks down what has changed, why, and how container security teams should adapt.

What Changed

Under the new model, CVEs are divided into three categories that will continue to receive full enrichment (including CVSS scores, CPE mappings, and CWE classifications):

• CVEs in CISA's Known Exploited Vulnerabilities (KEV) catalog — these are enriched within one business day.
• CVEs affecting software used by the U.S. federal government — as defined by existing guidance.
• CVEs affecting 'critical software' as defined by Executive Order 14028.

All other CVEs are now assigned a status of 'Not Scheduled'. Organizations can request enrichment by emailing nvd@nist.gov, but NIST provides no service-level timeline for such requests. Additionally, NIST has stopped duplicating CVSS scores when the submitting CNA (CVE Numbering Authority) provides one, and all unenriched CVEs published before March 1, 2026 have been moved into the 'Not Scheduled' category.

Why NIST Made This Change

The driver behind the shift is simple: volume. NIST reported a 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running roughly a third higher than the same period a year earlier. This surge reflects a broader expansion in the CVE ecosystem: more CNAs issuing numbers, more open-source projects running independent disclosure processes, and more automated tooling surfacing vulnerabilities that would not have reached CVE just a few years ago. The growth made it unsustainable for NIST to manually enrich every CVE with its own scores and mappings.

Implications for Container Security

Container security programs are among the most affected. Vulnerability scanners for container images often rely on CPE mappings to match software components to CVEs, and on CVSS scores to prioritize fixes. With fewer CVEs receiving these enrichments, security teams can no longer assume that a CVE in the NVD will include the metadata they need to automatically filter or prioritize. Instead, they will need to augment NVD data with alternative sources such as advisory feeds from container registries, vendor security bulletins, or third-party vulnerability databases.

Moreover, compliance frameworks that mandate specific CVSS thresholds or CPE-based inventory mappings will become harder to satisfy using NVD alone. Organizations subject to FedRAMP, PCI DSS, or SOC 2 may need to re-evaluate their scanning and reporting tools to ensure they can still generate accurate compliance evidence.

What Security Teams Should Do

To adapt, container security programs should consider the following steps:

1. Audit your current NVD dependencies — Identify every process that relies on NVD enrichment, from automated scanning to SLA calculations. Determine which CVEs in your environment fall outside the three prioritized categories.
2. Supplement NVD data with alternative sources — Incorporate feeds from GitHub Advisory Database, Red Hat Security Data, or the Open Source Vulnerability (OSV) database. Many container scanners already support multiple data sources; ensure yours are enabled.
3. Adjust prioritization logic — Rely less on CVSS base scores and more on exploitability metrics, threat intelligence, and business context. Use internal asset criticality to weight vulnerabilities.
4. Request enrichment for critical CVEs — For vulnerabilities that affect your most sensitive containers, send an enrichment request to nvd@nist.gov. While there's no guaranteed timeline, this may still yield results for high-priority items.
5. Review your compliance approach — Work with compliance teams to understand whether specific CVSS or CPE requirements can be satisfied through alternative means, or if adjustments to policies are needed.

Conclusion

NIST's shift to a prioritized enrichment model is not a sudden change, but it formalizes a reality that has been emerging for years. Container security programs built on the assumption of universal NVD enrichment must rethink their workflows. By diversifying data sources, revisiting prioritization logic, and proactively requesting enrichment for critical vulnerabilities, organizations can maintain robust security without relying solely on the NVD. The key is to treat this as an opportunity to build more resilient, context-aware vulnerability management processes.