Strategic Selective Defense: NIST Abandons Universal Analysis as Vulnerabilities Flood the NVD

The digital landscape has reached a point of saturation where the traditional methods of cataloguing and analysing cybersecurity threats are no longer sustainable. Today, the National Institute of Standards and Technology (NIST) announced a fundamental shift in the operation of the National Vulnerability Database (NVD).

For decades, the NVD served as the definitive repository for Common Vulnerabilities and Exposures (CVEs), with the ambitious goal of providing full enrichment and analysis for every single entry. However, the sheer velocity of software development, coupled with the emergence of automated discovery tools, has forced a strategic retreat.

NIST is officially abandoning its pursuit of universal analysis in favour of a risk-based triage model. This transition marks a critical moment in federal cybersecurity policy, acknowledging that in an era of infinite threats, resource allocation must be ruthless to be effective.

The Mathematical Breaking Point

The primary driver for this overhaul is a statistical reality that NIST can no longer outpace. The volume of CVE submissions has moved from a steady stream to a deluge.

Between 2020 and 2025, submissions surged by a staggering 263%. The momentum has only increased as we entered 2026. Data from the first quarter of this year indicates that submissions are nearly one-third higher than during the same period in 2025.

NIST has not been idle during this period. In 2025, the agency enriched nearly 42,000 CVEs, representing a 45% increase in output compared to the previous year. Despite this significant boost in productivity, the gap between reported vulnerabilities and analysed data continued to widen.

The human and technical resources required to assign severity scores, identify affected product versions, and categorise flaws according to the Common Vulnerability Scoring System (CVSS) simply cannot scale at the same rate as the global discovery of bugs.

The New Hierarchy of Risk

Under the new operational framework, NIST will no longer treat all vulnerabilities as equals. The "triage" element of the new model dictates that full enrichment will be reserved for CVEs that present the most immediate and tangible danger to national and federal infrastructure. To qualify for full analysis, a vulnerability must now meet at least one of three specific criteria:

1. Presence in the CISA KEV Catalog: The vulnerability is already listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. These are flaws with documented evidence of active exploitation in the wild.

2. Federal Government Impact: The CVE affects software that's actively used within the federal government’s environment.

3. Critical Software Designation: The vulnerability impacts software classified as critical under Executive Order 14028, which focuses on improving the nation’s cybersecurity.

   
   

By narrowing its focus, NIST aims to provide higher quality data where it matters most. Specifically, the agency intends to enrich KEV catalog entries within a single business day of receipt, ensuring that defenders have the necessary metadata to respond to active attacks in near real-time.

The "Not Scheduled" Purgatory and the Risk of the Unknown

For the thousands of vulnerabilities that do not meet these high-priority criteria, the outlook is less certain. These entries will still appear in the NVD, but they'll be tagged as "Not Scheduled." This designation means NIST will not automatically provide severity scores or the detailed product data that enterprise security teams have historically used to automate their patching schedules.

This shift introduces a significant element of risk for the private sector. Small to medium-sized enterprises, which often lack the budget for premium threat intelligence feeds, have long relied on the NVD as a free, reliable source of prioritisation data. Without NIST-provided scores, these organisations may find it difficult to determine which "non-critical" bugs actually pose a threat to their specific environments.

The risk is further compounded by the massive backlog of unenriched CVEs that has been accumulating since early 2024. In a sweeping move to clear the decks, NIST is moving all unenriched CVEs published before March 1, 2026, into the "Not Scheduled" category. While CVEs already in the KEV catalog are exempt from this move, thousands of other flaws will remain in a state of analytical limbo, to be addressed only as resources allow.

Efficiency over Redundancy

To streamline operations, NIST is also ending the practice of duplicate analysis. In the past, NIST would often generate its own severity scores even if the submitting CVE Numbering Authority (CNA) had already provided one.

Moving forward, NIST will generally accept the CNA’s assessment. Furthermore, the agency will only reanalyse modified CVEs if the changes materially affect the enrichment data, rather than performing a full review on every minor update.

These procedural changes are designed to cut through the administrative "noise," but they place a greater burden of accuracy on the CNAs, which include private software vendors and research organisations.

The AI Factor: A Catalyst for Chaos

While NIST has been careful not to attribute the surge in vulnerabilities solely to a single source, industry experts point toward the role of artificial intelligence. AI-driven fuzzing and automated code analysis have made it significantly easier for researchers (and bad actors) to find flaws at scale.

Vincenzo Iozzo, co-founder and chief executive of SlashID Inc., notes that the spike in valid, reported vulnerabilities is directly tied to this technological evolution.

Iozzo explains.

However, Iozzo also suggests that the same technology causing the problem might offer a solution for the private sector.

The End of Passive Security

The broader implication of NIST’s announcement is that the cybersecurity industry can no longer afford to be reactive. Waiting for a government agency to verify and score a threat is a luxury that modern timelines don't permit.

Shane Fry, chief technology officer at RunSafe Security Inc., views this change as a definitive signal to the market.

The inherent risk in the "Not Scheduled" model is that visibility becomes fragmented. Organisations that rely solely on the NVD will now have blind spots.

The move by NIST forces a shift in philosophy. Instead of managing a list of known bugs, companies must move toward a model of resilience. As Fry notes, "

A Necessary Evolution

NIST’s decision to pivot to a risk-based triage model is an admission of a hard truth: the volume of digital weakness is growing faster than our ability to document it. By focusing on the KEV catalog and critical infrastructure, NIST is attempting to protect the "foundation" of the national digital economy.

For everyone else, the message is clear. The NVD is no longer a comprehensive safety net. It's a high-priority alert system. In the gap left behind, organisations must take greater ownership of their own risk assessment, leveraging AI and diverse data streams to identify what matters to them before a "Not Scheduled" vulnerability becomes a very scheduled breach.