NIST's NVD Shift: What It Means for Container Vulnerability Management

Understanding the Change

On April 15, NIST announced a prioritized enrichment model for the National Vulnerability Database (NVD). This change means that most Common Vulnerabilities and Exposures (CVEs) will still be published, but fewer will receive the full suite of enrichment data—CVSS scores, CPE mappings, and CWE classifications—that container scanners and compliance programs have historically depended on.

This isn't a sudden shift; it formalizes a trend that has been visible for the past two years. What changed on April 15 is the expectation: NIST has clearly stated it does not intend to return to full-coverage enrichment. For programs that built their scanning, prioritization, and SLA workflows around NVD as the authoritative secondary layer on top of CVE data, this assumption now requires a structured review.

Three Categories for Full Enrichment

Going forward, only three categories of CVEs will receive full enrichment:

• CVEs in CISA's Known Exploited Vulnerabilities catalog (targeted within one business day)
• CVEs affecting software used within the federal government
• CVEs affecting "critical software" as defined by Executive Order 14028

All other CVEs are moved to a new "Not Scheduled" status. Organizations can request enrichment by emailing nvd@nist.gov, but NIST offers no service-level timeline for fulfilling these requests. Additionally, NIST has stopped duplicating CVSS scores when the submitting CNA already provides one, and all unenriched CVEs published before March 1, 2026 have been moved into "Not Scheduled."

Why NIST Made This Decision

NIST cited a 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running roughly a third higher than the same period a year earlier. This growth reflects a broader expansion in CVE numbering: more CNAs (CVE Numbering Authorities), more open-source projects running their own disclosure processes, and more tooling surfacing vulnerabilities that wouldn't have reached CVE status a few years ago. The sheer volume made full enrichment unsustainable.

Implications for Container Security Programs

Container security programs that rely on NVD enrichment for vulnerability scanning and prioritization now face a fragmented landscape. Without CVSS scores and CPE mappings for many CVEs, automated risk assessments become less reliable. This is especially critical for container images that pull from open-source registries, where a high volume of new CVEs may lack enrichment.

Rethinking Scan Prioritization

Traditional prioritization models often used CVSS scores as a primary filter. With fewer scores from NVD, teams should consider:

• Leveraging alternative vulnerability scoring systems like the Exploit Prediction Scoring System (EPSS) or vendor-supplied CVSS
• Integrating threat intelligence feeds to identify which unenriched CVEs are being actively exploited
• Prioritizing based on the criticality of the affected container component within your environment

Adjusting Compliance and SLA Workflows

Many compliance frameworks, such as FedRAMP or HIPAA, require organizations to track and remediate known vulnerabilities. Without CPE mappings from NVD, correlating CVEs to specific software versions becomes harder. Security teams should:

• Update internal SLAs to account for delayed or missing enrichment data
• Implement manual enrichment processes for CVEs affecting critical containers
• Document alternative data sources used for compliance reporting

Next Steps for Security Teams

To adapt to this new reality, container security programs should take the following actions:

1. Audit your current vulnerability management pipeline. Identify all points where NVD enrichment data is consumed and assess the impact of missing CVSS, CPE, or CWE information.
2. Diversify data sources. Supplement NVD with inputs from OSV, Red Hat, SUSE, or other vendor databases. Many container registries (e.g., Docker Hub) now provide their own vulnerability metadata.
3. Update prioritization algorithms. Reduce reliance on CVSS as a sole metric. Incorporate exploit availability, asset criticality, and environmental context.
4. Engage with NVD proactively. For CVEs that are essential to your compliance posture, submit enrichment requests via nvd@nist.gov, but don't rely on timely responses.
5. Review container image policies. Consider scanning images more frequently and using runtime detection to compensate for missing pre-deployment enrichment.

The NVD shift is a pivotal moment for container security. By rethinking how you consume vulnerability data and prioritizing flexible workflows, you can maintain effective risk management even as the landscape evolves.