# NIST Introduces CVE Prioritization: How This Will Change Vulnerability Management
The National Institute of Standards and Technology (NIST) has officially shifted to a risk-based model for processing vulnerabilities. Starting April 15, 2026, only CVEs meeting strict priority criteria will receive full analytical processing in the National Vulnerability Database (NVD). The rest will be marked as "Not Planned." This decision stems from a 263% surge in CVE requests from 2020 to 2025 and the inability to sustain the previous level of manual data enrichment.
Why NIST Changed Its Approach to Processing CVEs
The volume of data on new vulnerabilities has reached a critical point. In 2025, NVD recorded nearly 42,000 CVEs—a 45% increase over any previous year. In the first three months of 2026, requests rose another third. Meanwhile, NIST's resources are limited, and manual verification and enrichment of each record demand significant time and personnel.
Previously, NIST aimed to provide uniform, comprehensive information for all vulnerabilities: CVSS scores, technical details, and links to fixes. Now, the institute acknowledges that this model is outdated. The goal of the new strategy is to focus on vulnerabilities with the greatest potential for widespread impact on infrastructure and security.
Prioritization Criteria: Which CVEs Will Get Processed
Under the updated policy, full processing in NVD is guaranteed only for the following categories of vulnerabilities:
- Vulnerabilities included in the Known Exploited Vulnerabilities (KEV) catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA);
- Vulnerabilities in software used by the U.S. federal government;
- Vulnerabilities in critical software as defined under Executive Order 14028. Such software includes systems that:
- Operate with elevated or managed privileges;
- Have privileged access to network or computing resources;
- Control access to data or operational technologies;
- Function beyond normal trust boundaries with expanded rights.
All other CVEs will automatically receive "Not Planned" status. This doesn't mean they're removed from the database—they remain in NVD, but without additional analysis from NIST.
Changes to NVD Workflows
In addition to prioritization, NIST has made several technical and procedural adjustments:
- No more duplicate CVSS scores: If the CVE Program has already provided a severity score, NIST will no longer issue its own.
- Reanalysis only for significant impact: Changes to already processed CVEs won't trigger automatic review unless they substantially affect the processing data.
- Bulk movement of old records: All unprocessed CVEs published before March 1, 2026, have been moved to "Not Planned" status, except those already in KEV.
- Interface and label updates: The NVD dashboard now shows the real-time processing status for each vulnerability.
Users can request processing for a specific CVE by emailing [email protected]. However, NIST reserves the right to decline if the vulnerability doesn't meet the risk criteria.
Implications for the Industry and Security Practices
This move marks the end of the era of centralized, government-led assessment of all vulnerabilities. As Caitlin Condon (VulnCheck) notes, "We no longer live in a world where manual enrichment of new vulnerabilities is a viable strategy."
For organizations, this means shifting to proactive risk management:
- Integrating external data sources (including commercial platforms and open-source feeds);
- Automating prioritization based on context: active exploitation, KEV inclusion, and use in your own infrastructure;
- Moving away from blind reliance on CVSS scores toward analysis of real exploitability and business impact.
David Lindner (Contrast Security) emphasizes: "Relying on a carefully curated set of valuable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor flaw."
Key Takeaways
- NIST no longer processes all CVEs—only those meeting high-risk criteria.
- Non-priority vulnerabilities stay in NVD but without CVSS scores or additional NIST analysis.
- Organizations need to overhaul vulnerability management processes, emphasizing context and real threats.
- Requests for non-priority CVE processing are possible but not guaranteed to be acted on by NIST.
- The trend points to decentralization and specialization in the cybersecurity ecosystem.
— Editorial Team
No comments yet.