NIST to Prioritize High-Impact CVEs Amid NVD Enrichment Backlog

The National Institute of Standards and Technology (NIST) has announced a significant shift in its management of the National Vulnerability Database (NVD). According to BleepingComputer, the agency will no longer assign CVSS scores, CWE mappings, or other enrichment data to lower-priority vulnerabilities. This decision stems from a critical need to address a mounting backlog of CVE entries that has persisted since early 2024.

Navigating NVD Vulnerability Enrichment Delays

The NVD serves as the foundational repository for vulnerability metadata, which security tools and SOC teams use to prioritize remediation. Historically, NIST processed nearly every published CVE, providing the structured data necessary for automated SIEM alerts and vulnerability scanners. However, the sheer volume of vulnerability disclosures has reached a breaking point. In 2023, the database recorded over 30,000 entries, and current projections suggest that 2024 will surpass that record.

To manage this workload, NIST is transitioning to a prioritized analysis model. Under this new framework, NIST will only enrich vulnerabilities deemed “significant.” While the exact definition of significant remains fluid, it generally encompasses any Zero-Day threat, vulnerabilities actively exploited in the wild, or those affecting critical infrastructure. For the remaining volume of disclosures, NIST will rely on the Authorized Data Provider (ADP) program to fill the metadata gaps.

Modern Vulnerability Management Strategies Without NVD Scores

This policy change introduces a period of uncertainty for organizations that rely solely on NIST for risk calculations. If a vulnerability is not enriched by NIST, it may lack the CVSS vector required by many compliance frameworks and security scanners to determine severity. Defenders must now find a way to answer the question of how to prioritize CVE without NVD scores by diversifying their intelligence feeds.

The Cybersecurity and Infrastructure Security Agency (CISA) has already stepped in as a primary ADP, providing enrichment data for many vulnerabilities through its own analysis pipelines. However, there is no guarantee that every niche or low-impact flaw will receive this secondary treatment. This creates a visibility gap for security professionals who manage large, diverse software inventories where even “medium” or “low” severity flaws could be chained together to facilitate Lateral Movement or data exfiltration.

Actionable Recommendations for Defenders

Security teams must adapt their internal workflows to account for the reduction in NIST’s output. Relying on a single source of truth for vulnerability data is no longer a viable strategy for modern vulnerability management strategies. Organizations should consider the following steps:

• Integrate Multiple Intelligence Sources: Do not rely exclusively on the NVD. Incorporate data from the CISA Known Exploited Vulnerabilities (KEV) catalog and direct vendor advisories.
• Leverage ADP Data Feeds: Ensure your vulnerability management tools are configured to ingest metadata from Authorized Data Providers beyond NIST, such as CISA or the VulnCheck community feeds.
• Context-Based Prioritization: Shift away from static CVSS scores as the sole metric for urgency. Prioritize based on the asset’s business criticality and the presence of public exploit code, regardless of whether a NIST-verified score is available.
• Automate Triage with SSVC: Consider implementing the Stakeholder-Specific Vulnerability Categorization (SSVC) model, which focuses on decision-making based on exploitation status and mission impact rather than just technical severity.

While NIST aims to clear its backlog by the end of 2024, the structural change to prioritized enrichment appears to be a permanent evolution in response to the scaling challenges of the global threat landscape.