NIST’s NVD Shift: Key Questions for Container Security Programs

On April 15, 2025, the National Institute of Standards and Technology (NIST) announced a major shift in how the National Vulnerability Database (NVD) handles Common Vulnerabilities and Exposures (CVEs). Instead of enriching every CVE with scores, classifications, and mappings, NIST now prioritizes only a subset. For container security programs that have long relied on the NVD as the authoritative source for prioritization and compliance, this change demands a thorough reassessment. Below, we answer the most pressing questions about what changed, why it matters, and how to adapt.

What exactly did NIST announce on April 15?

NIST introduced a prioritized enrichment model for the National Vulnerability Database. Going forward, most CVEs will still be published, but fewer will receive the full spectrum of enrichment data—CVSS scores, CPE mappings, and CWE classifications—that container scanners and compliance programs have historically depended on. The announcement formalizes a trend that had been visible for two years: the NVD was already falling behind. Now NIST has stated clearly that it does not intend to return to full-coverage enrichment. Programs built around the assumption that the NVD sits as an authoritative secondary layer on top of the CVE list need to revisit that assumption.

Why is NIST adopting this change now?

The primary driver is a 263% increase in CVE submissions between 2020 and 2025. In Q1 2026 alone, submissions ran roughly a third higher than the same period a year earlier. This surge stems from a broader expansion in CVE numbering: more CVE Numbering Authorities (CNAs), more open source projects running their own disclosure processes, and more automated tooling surfacing vulnerabilities that would not have reached CVE status a few years ago. NIST simply cannot keep pace with manual enrichment for every entry. The prioritization model is a pragmatic response to resource constraints, but it shifts the burden onto downstream users.

Which CVEs will still get full enrichment?

Three categories continue to receive complete enrichment, typically within one business day:

• CVEs listed in CISA’s Known Exploited Vulnerabilities catalog
• CVEs affecting software used within the federal government
• CVEs affecting “critical software” as defined by Executive Order 14028

All other CVEs are moved to a new status called “Not Scheduled.” For these, no timeline exists for enrichment. NIST also stopped duplicating CVSS scores when the submitting CNA already provides one, and all unenriched CVEs published before March 1, 2026 have been moved into “Not Scheduled.”

What does “Not Scheduled” status mean for my vulnerability management?

If a CVE is marked “Not Scheduled,” you cannot expect the NVD to provide CVSS scores, CPE mappings, or CWE classifications for it any time soon—if ever. This means your container scanners, which often fetch enrichment data from the NVD, may show incomplete risk information. Prioritization workflows that rely on CVSS base scores may miss critical context. Compliance programs that require CPE mappings for asset inventory will have gaps. Essentially, the NVD is no longer a reliable source for secondary enrichment on most vulnerabilities; you must plan to fill that gap yourself.

Can organizations request enrichment for a specific CVE?

Yes. Organizations can email nvd@nist.gov to request enrichment for a particular CVE. However, NIST offers no service-level timeline for fulfilling such requests. The process is essentially best-effort and may take weeks or months. This will likely work only for high-priority vulnerabilities that affect critical systems, but it is not a scalable solution for the thousands of CVEs that a typical container environment encounters. Security teams should treat this as a fallback, not a primary strategy.

How should container security programs adapt to this change?

Programs that relied on the NVD as the authoritative enrichment layer need to reassess several elements:

1. Scanner configuration: Ensure your scanners can pull enrichment from alternative sources like the CNA-provided data, OSV (Open Source Vulnerabilities), or commercial feeds.
2. Prioritization logic: Don’t treat missing CVSS scores as “no risk.” Use ephemeral context (exploitability, reachability) instead.
3. Compliance mappings: For CPE or CWE dependencies, maintain a local mapping system or use a third-party enrichment service.
4. SLA definitions: Remove the assumption that the NVD will enrich every CVE within a set window.

By shifting to a more proactive, multi-source approach, teams can maintain strong security posture even as NIST narrows its role.

Will this change affect any existing vulnerability data from before April 15?

Yes. NIST has moved all unenriched CVEs published before March 1, 2026 into the “Not Scheduled” category. This means historical vulnerabilities that were never given a CVSS score, CPE mapping, or CWE classification by the NVD will remain unenriched. If your vulnerability database or scanner used the NVD as its sole enrichment source for those older CVEs, you now have gaps in your historical assessments. It may be worthwhile to reprocess those older records using alternative enrichment feeds or, for critical assets, request direct enrichment from NIST.