NIST will stop assigning severity scores and enriching lower-priority CVEs in the NVD starting April 15, focusing analysis only on issues that meet specific risk-based criteria such as inclusion in CISA’s KEV, impact on U.S. federal software, or designation as critical under Executive Order 14028. All submitted CVEs will remain listed but non-prioritized entries will be marked “Not Scheduled” for enrichment, with NIST accepting enrichment requests via [email protected]. #NIST #NVD
Keypoints
- NIST will cease assigning severity scores to lower-priority vulnerabilities beginning April 15.
- The NVD will only provide additional details for CVEs meeting criteria like CISA’s KEV, federal impact, or EO 14028 critical software.
- All CVEs will still be listed in the NVD, but non-prioritized entries will be labeled “Not Scheduled” and rely on CNA-provided ratings.
- NIST cited a 263% surge in submissions and said it enriched 42,000 CVEs in 2025 but can no longer keep up with volume.
- NIST will accept enrichment requests for low-priority CVEs via email at [email protected].