Sustainable Security: NIST Abandons “Analyze Everything” Goal for NVD

In a major strategic shift, the National Institute of Standards and Technology (NIST) has announced a fundamental overhaul of how it manages the National Vulnerability Database (NVD). Faced with an unprecedented flood of new software flaws, the agency is moving away from its historical goal of analyzing every vulnerability, opting instead for a prioritized, risk-based approach to ensure the database remains sustainable.

“NIST is changing the way it handles cybersecurity vulnerabilities and exposures, or CVEs, listed in its National Vulnerability Database (NVD),” the agency stated in a recent press release. This move marks a significant departure for the program, which previously aimed to “enrich” all submitted CVEs with critical metadata, such as severity scores and affected product lists, to help defenders prioritize their patching efforts.

The primary driver behind this decision is a staggering increase in the volume of security flaws being discovered and reported. According to NIST, CVE submissions surged by 263% between 2020 and 2025.

The trend shows no signs of slowing down. Submissions in the first quarter of 2026 are already roughly 33% higher than the same period last year. While NIST reported that its team was “working faster than ever” and enriched 45% more CVEs in 2025 than in any prior year, the agency admitted that “this increased productivity is not enough to keep up with growing submissions.”

Starting April 15, 2026, NIST will implement a new triage system. All vulnerabilities will still be listed in the NVD, but only those deemed to have the greatest potential for systemic impact will be automatically enriched with deep analysis.

The new high-priority categories include:

• Known Exploited Vulnerabilities: Flaws appearing in CISA’s KEV Catalog. NIST’s goal is to enrich these “within one business day of receipt.”
• Government Software: CVEs impacting software utilized within the federal government.
• Critical Software: Flaws affecting “critical software” as defined by Executive Order 14028.

Vulnerabilities that do not meet these specific bars will be labeled as “Not Scheduled.” NIST explained the rationale for this division, noting that “while CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

To further reduce the manual workload, NIST is cutting out redundant processes. For years, the agency provided its own severity scores even if the submitting authority had already calculated one. Moving forward, NIST will no longer routinely provide a separate score, a move designed to “reduce duplication of effort and allow us to focus our resources more effectively.”

The agency is also tightening its policy on re-analyzing flaws. It will now only re-evaluate enriched CVEs if a subsequent modification “materially impacts” the existing enrichment data.

The shift also brings a tough decision regarding the existing pile of unenriched vulnerabilities. NIST revealed that it has been unable to clear a significant backlog that began growing in early 2024. Consequently, all backlogged CVEs with an NVD publish date prior to March 1, 2026, will be moved into the “Not Scheduled” category, though the agency may revisit them as resources allow.

NIST views these changes as a necessary bridge to a more automated future. The current stabilization efforts are intended to buy time while the agency develops the automated systems and workflow enhancements required for long-term survival.

“This risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community,” NIST concluded.