On 15 April 2026, the National Institute of Standards and Technology (NIST) formally abandoned its longstanding mission to enrich all information about vulnerabilities published to its database.
NIST runs the National Vulnerability Database (NVD), which contains information about Common Vulnerabilities and Exposures (CVEs). Each CVE represents a software or hardware vulnerability.
CVEs don’t contain much information on their own, which is where NIST came in. It assigned each of them a Common Vulnerability Scoring System (CVSS) score that indicates how severe it is. It also assigned Common Platform Enumeration (CPE) identifiers, which is a standard way to link vulnerabilities to specific tech products.
NIST has been diligently enriching CVEs since the NVD began in 1999, but that all just changed. Under the restructured policy, full enrichment is limited to CVEs in three priority categories: CISA’s Known Exploited Vulnerabilities (KEV) catalogue, software used by US federal agencies, and Executive Order 14028 critical software. Everything else is designated “Lowest Priority”.
A Rising Tide Of Vulnerabilities
NIST’s restructuring is an admission of overwhelm. It has been grappling with more work as the volume of CVEs has exploded. Submissions to the NVD increased 263% between 2020 and 2025, it said, adding that the first quarter of 2026 ran nearly one-third higher than the same period a year earlier. Last year it enriched roughly 42,000 vulnerabilities (45% more than any prior year).
The agency hasn’t been keeping pace with the rising workload. Last year it watched its backlog more than double. The April announcement saw it deal with that by declaring a form of CVE bankruptcy, moving thousands of backlogged records published before March 1, 2026 into the “Not Scheduled” category that it may or may not attend to in the future.
NVD enrichment hadn’t been meeting quality expectations either. A Commerce Department inspector general review found that NIST’s severity scores matched those of independent assessors only 12% of the time, while nearly 80% of submissions already arrived carrying scores from the reporting party.
The Growing Vulnerability Rift
This is a big deal for vulnerability management teams. Without CPE data, vulnerability scanners that rely exclusively on NVD-derived enrichment cannot match a CVE to a product. NIST acknowledged that the new criteria “may not catch every potentially high-impact CVE”.
This all happens at a time when Vulnerability exploitation is becoming even more consequential. It surpassed stolen credentials as the leading breach vector across more than 31,000 incidents reviewed, according to Verizon’s Data Breach Investigations Report.
It’s also becoming more automated. CrowdStrike’s 2026 Annual Threat Report concluded that AI-enabled adversaries increased attacks by 89% year-over-year in 2025, with intruders deploying generative AI across “targeting, initial access, and development of malware and other tools”.
And the velocity of vulnerability reporting looks set to increase even more dramatically. Consider Mythos, the Anthropic AI model that has already uncovered vulnerabilities en masse and will likely be followed by other competitive models.
Yet organizations are standing still. The speed of countermeasures lags behind the evolution of automated attacks: 77% of enterprise organisations still require more than a week to deploy a critical patch, says the Cloud Security Alliance. It’s no wonder that it also found an estimated 38% to 45% of critical vulnerabilities sitting unpatched across the industry at any given time.
From Ad-Hoc Management To Vulnerability Resilience
Approaches to vulnerability management must adapt if we’re to meet these challenges. Companies must begin looking at vulnerability management as one part of a broader resilience initiative. That should include looking at exploitability from a more holistic perspective.
Measures here include prioritizing visibility over what’s happening in the technology stack from end to end, to get a sense not just of what’s exploitable in your infrastructure but what its blast radius and organizational impact looks like.
It also means moving away from CVSS-centric vulnerability management. That was never a good idea, because a single score can’t adequately assess the organizational risk of a vulnerability.
A study by Japan’s Kagawa University found that CVSS-only approaches with a 7.0 severity threshold achieve efficiency rates of only 0.2% to 0.5%. That means this narrow enterprise triage method addresses a tiny fraction of vulnerabilities that are actually exploitable.
Comparatively, the study found that integrated frameworks do better. Developed by the Forum of Incident Response and Security Teams (FIRST), the Exploit Prediction Scoring System (EPSS) is a machine learning model that assigns vulnerabilities a score indicating how likely it is to be exploited in the real world in the next 30 days.
Combining CVSS, EPSS, and data from CISA’s KEV list reduces urgent prioritisation workloads by approximately 95%, from roughly 16,000 to 850 vulnerabilities, while maintaining 85.6% coverage, according to the Kagawa study.
NIST has already broadened its coverage beyond CVSS. In June it updated the NVD to include Stakeholder-Specific Vulnerability Categorization (SSVC) data sourced from CISA. This is a decision framework for prioritizing vulnerability remediation, developed by Carnegie Mellon’s Software Engineering Institute (CERT/CC) together with CISA. CISA provides this as part of the Vulnrichment program, its own attempt to help enrich CVE information. So the NVC has moved from a shallower, broader model to a narrower, richer one that takes a more holistic view of exploitability.
ISMS As Operating Manual
For compliance managers, the practical question is which governance framework can absorb this shift without forcing teams to rebuild their vulnerability programmes from scratch.
ISO/IEC 27001 and its Annex A controls is directly aligned with the change. It treats vulnerability management not as a scoring exercise but as an integrated control within a wider information security management system.
Control A.8.8 (Management of Technical Vulnerabilities) requires organisations to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate measures. It also advises on extra measures beyond simple scoring, like penetration testing.
Control A.5.7 (Threat Intelligence) requires the collection and analysis of threat data of exactly the kind EPSS and KEV provide. Read together with A.5.30 (ICT Readiness for Business Continuity), the standard frames vulnerability management as one input into operational resilience rather than a standalone scanner output.
Certification gives compliance managers a defensible audit trail when regulators ask how the organisation prioritised CVEs without NVD enrichment. The management system should be able to cite things like commercial enrichment feeds, KEV monitoring, and EPSS scoring within existing control boundaries.
We mustn’t downplay the importance of what NIST just did, but we must also put it in context. This policy disruption forces organizations along a path they should already have been navigating. It’s time to use multiple intelligence sources and think more holistically about exploitability, positioning vulnerability management as an integral part of a broader resilience approach.
Expand Your Knowledge
Podcast: Phishing for Trouble S02 E05: You’re Compliant. Are You Resilient?
Blog: Why Cyber Resilience Remains a Long Way off for Many UK Businesses
