Most security teams are running a vulnerability management program built on an assumption that is no longer true.

On April 15, NIST announced that the National Vulnerability Database would move to a "risk-based model." The announcement was carefully worded. What it actually said, translated out of agency language, is this: NIST can no longer enrich most CVEs, and it is stopping. Effective immediately.

From that date forward, only three categories of vulnerabilities get full enrichment: those in CISA's Known Exploited Vulnerabilities catalog, those affecting federal government software, and those covering critical software under Executive Order 14028. Everything else gets a new status label: "Lowest Priority -- not scheduled for immediate enrichment." The backlog of unenriched CVEs published before March 1, 2026 moved to "Not Scheduled." No timeline. No SLA. The request mechanism for getting an unscheduled CVE enriched is an email address. [1]

That covers roughly 80% of anticipated CVE volume going forward. [2]

What enrichment actually does

A raw CVE record is an identifier and a description. It tells you a vulnerability exists. That is all. The severity score, the Common Platform Enumeration strings that match the CVE to specific software products, the Common Weakness Enumeration mapping that tells you the root cause class -- that context is what enrichment provides. It is the translation layer between "a vulnerability was disclosed" and "here is what it means for your environment."

Every major vulnerability scanner, patch management platform, and compliance reporting tool was architected around the assumption that this translation would happen for every CVE, automatically and on a reasonable timeline. Your scanner flags a CVE, looks up the NVD record, pulls the CVSS score, and maps it to your asset inventory via CPE strings. That is the workflow. That workflow now depends on data that may not exist for the majority of what gets disclosed.

CVEs outside the three priority categories still appear in the NVD. They appear without severity scores, without CPE product mappings, and without weakness classifications. If your tooling depends on that enrichment to surface and prioritize findings, you are going to miss things. You probably will not know you are missing them, because the record is there and the absence of metadata is invisible unless you know to check individual CVE status labels. Most teams do not check. [3]

What the three categories actually cover

The KEV catalog contains vulnerabilities already confirmed in active exploitation. Federal software covers what government agencies run. EO 14028 critical software covers identity systems, operating systems, hypervisors, and container environments.

Your ERP system is probably not in any of those categories. Your CRM is not. Your industry-specific line-of-business software is not. Most of the shared libraries your development team is running are not. NIST enriched nearly 42,000 CVEs in 2025 -- 45% more than any prior year -- and still fell further behind. CVE submissions increased 263% between 2020 and 2025, and the first three months of 2026 were already running a third higher than the same period last year. A Cisco principal engineer has forecast 70,135 CVEs by year end. [4]

NIST's response to that math was to redefine scope. I do not think that is a failure of competence. The agency was honest about the constraint and honest about the decision. What concerns me is what the decision exposed: there is no institution designated responsible for enriching vulnerabilities that fall outside those three categories. CISA KEV covers confirmed exploitation. The space between "reported" and "exploited" -- which is exactly where defenders need actionable intelligence to prevent exploitation -- is now formally unowned. [1]

The accountability failure

This is a Response failure in the Vordan framework, and it runs deeper than NIST's capacity problem.

The structural response to a capacity crisis at a national security database was to redraw the boundary of what the database covers, not to close the gap the redrawing created. No institution has been designated to fill what NIST is stepping back from. There is no distributed enrichment model standing behind this decision. There is an email address and a statement that NIST "will consider" enriching lower-priority CVEs as resources allow. [1]

I have been in enough vendor meetings to know what "will consider as resources allow" means in practice. It means no.

The private sector organizations that built vulnerability management programs on NVD completeness were not notified that the coverage model had changed in any operational sense. NIST published an announcement. Security teams who read it closely now know. Security teams who did not are still operating their programs on the old assumption, generating reports, setting remediation SLAs, and checking compliance boxes against a data layer that no longer covers most of their commercial software stack.

That is the information asymmetry. The gap is invisible unless you go looking for it. [2][3]

The compound problem

The timing makes this worse, and not in a way that is obvious from the NIST announcement alone.

The threat actors that have been most operationally successful recently are not running CVE-dependent attack chains. The Gentlemen ransomware group's documented methodology -- analyzed from their own internal data -- shows initial access via infostealer credential logs purchased from criminal markets, not zero-days or unpatched vulnerabilities. Valid credentials bypass endpoint detection entirely. They require no CVE. They leave no trace distinguishable from legitimate access. Eighty percent of their victims had prior infostealer infections before the ransomware group ever touched them.

The security intelligence infrastructure is narrowing its coverage at the exact layer attackers are already moving away from. The NVD enrichment gap is growing for CVE-based threats. The credential-based attack surface, which has no CVE-equivalent database and no NIST equivalent watching it, is expanding. Those two lines are moving in opposite directions, and nobody is responsible for the space between them.

What your program should do now

Audit your vulnerability management tooling. Find out whether your scanner, your patch platform, and your compliance reporting tools depend on NVD CPE mappings and CVSS scores to surface and prioritize findings. If they do, you are operating with a coverage assumption that is no longer valid.

Check the enrichment status of your highest-priority open CVEs. Any CVE outside the KEV, federal software, and EO 14028 categories may now carry a "Not Scheduled" status. If it does, it has no NIST-validated severity score, no CPE mapping, and no weakness classification unless a third party or the CVE Numbering Authority provided them independently. Know which of your tools have independent enrichment pipelines and which ones do not. [3]

For CVEs in your open backlog that matter to your environment, request enrichment via [email protected]. Understand that this is not a scalable model for a high-volume program. It is a manual escape valve with no published SLA.

Stop treating NVD completeness as a baseline assumption. The NVD has not been complete since the backlog started building in early 2024. April 15 is the date NIST said so officially.

Vordan publishes Gap Alerts when an accountability gap crosses the threshold of operational consequence. Gap Alert Six covered the resolution of the Instructure breach. This alert covers the intelligence layer underneath the programs meant to prevent the next one.

SOURCES

[1] NIST -- "NIST Updates NVD Operations to Address Record CVE Growth" -- nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth

[2] Cloud Security Alliance Lab Space -- "NVD Enrichment Triage: Enterprise Vulnerability Programs Must Adapt" -- labs.cloudsecurityalliance.org/research/csa-research-note-nist-nvd-enrichment-policy-change-20260419

[3] The Hacker News -- "NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions" -- thehackernews.com/2026/04/nist-limits-cve-enrichment-after-263.html

[4] Infosecurity Magazine -- "NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities" -- infosecurity-magazine.com/news/nvd-enrichment-premarch-2026