RSS

Two Months In: Assessing the Impact of NIST's Enrichment Cutbacks

003random2 pts0 comments

Two Months In: Assessing the Impact of NIST's Enrichment Cutbacks

Complete CVE enrichment without changing your NVD integration.

Get started

Two Months In: Assessing the Impact of NIST's Enrichment Cutbacks<br>Ruben Bos<br>23 Jun, 2026<br>Research

On April 15, NIST announced that it would no longer attempt enrichment for every CVE. Vulnerabilities are still ingested by the National Vulnerability Database, but enrichment is now reserved for a selected subset. Everything else will be marked as Not Scheduled .

That may sound strategic, but is actually problematic. For years, NIST established itself as an authoritative source of vulnerability data. Teams have come to rely on their assessment of CVSS, CWE, and CPE for vulnerability management and automation.

A quick recap

Prior to their announcement in April, NIST had been struggling with a backlog for years. This pile-up of vulnerabilities initially arose in 2024 due to a mix of contract renewal delays and staffing problems:

Source: OIG analysis of NIST data

Our own data confirms that NIST enriched nearly 42,000 CVEs in 2025, a significant increase in operational capacity of 130% over the year before.

Additionally, NIST reported that CVE submissions increased 263% between 2020 and 2025 . Submissions in the first three months of 2026 were already nearly one-third higher than the same period last year.

Despite their best efforts to increase operational capacity, NIST was unable to clear their backlog while processing the high influx of new vulnerabilities. Faced with no long-term solution, that brings us to the operational policy we have now.

Current state

NIST’s recent decision to enrich only a small subset of vulnerabilities has been widely covered, but less so what it means for downstream consumers beyond the fact. With this post, we hope to provide a more comprehensive perspective on the current state of vulnerability data and what it means for vulnerability management.

We looked at the vulnerability data over a two-month period from 2026-04-15 , the day the new prioritization strategy was implemented, all the way through 2026-06-15 .

Coverage

The importance of coverage practically speaks for itself. Without enrichment, you may be blind to the vulnerabilities that impact you and how severe they are.

Within the review window, 13,441 non-rejected CVEs were published. No more than 8,342 were prioritized for enrichment by NIST. This leaves 5,099 CVEs that were not scheduled for enrichment under the current prioritization model.

However, out of those to-be-enriched vulnerabilities, only 6,759 actually received NIST analysis. This means that 1,583 CVEs were published and selected for enrichment, but remain unanalyzed.

Of the vulnerabilities that did receive a NIST analysis, only 2,645 received a NIST CVSS vector. That is roughly 20% of all CVEs published within the reviewed period.

A fifth of all vulnerabilities isn’t much, but is likely due to NIST choosing to omit CVSS where the CNA had already provided it. However, CNA vectors are produced by many different organizations, each with varying levels of expertise, bias, and consistency. This is why NIST vectors were in demand. They came from an independent and, on paper, knowledgeable and reputable source. FedRAMP makes that dependency explicit. Cloud providers must use NIST’s CVSS v3.x score. A strategy that is no longer viable.

Product mapping held up better in comparison, but leaves definite room for improvement: out of the 8,342 prioritized CVEs, 6,755 received CPE assignment. That still leaves 1,587 prioritized CVEs without standardized product mappings from NIST.

CPEs are the backbone of asset inventories, and since NIST is solely responsible for maintenance of the official CPE dictionary, this should be a priority, if anything.

Speed

Coverage is only part of the picture. Even if enrichment does eventually arrive, timeliness matters. For teams that depend on vulnerability data in active workflows, a delay can be the difference between same-day triage and a growing queue of unknown, unprocessed findings.

The monthly comparison below shows the median time-to-analysis by month in 2026.

MonthNIST Time To AnalysisJanuary10 days, 14 hours, 54 minutesFebruary4 days, 19 minutesMarch3 days, 16 hours, 39 minutesApril5 days, 20 hours, 51 minutesMay3 days, 18 hours, 4 minutesJune1 day, 22 hours<br>Note that median time-to-analysis is biased in NIST’s favor. The weekly status breakdown below shows why the current median understates the real delay.

Each week still includes older CVEs in Awaiting Analysis status. Because those cases are still in progress, they cannot yet be included in the completed-case timing statistics, which makes the current median understate the true delay.

Another way to test whether the new strategy is working is to compare how many CVEs were prioritized for enrichment each week against how many initial analyses NIST completed that same week.

There is no perfectly stable pattern...

nist enrichment cves vulnerabilities vulnerability data

Related Articles

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.