NIST’s Shift in Vulnerability Enrichment: What Container Security Teams Need to Know

In April 2025, the U.S. National Institute of Standards and Technology (NIST) announced a significant change to how the National Vulnerability Database (NVD) enriches Common Vulnerabilities and Exposures (CVEs). The new model prioritizes enrichment for a select subset of vulnerabilities, leaving many CVEs without the detailed scoring and mappings that security tools have long relied upon. This shift formalizes a trend visible over the past two years, where enrichment delays and gaps had already strained container security and vulnerability management workflows. Below, we answer key questions about what changed, why it happened, and how to adapt.

What exactly changed in NIST’s NVD enrichment model?

On April 15, 2025, NIST introduced a prioritized enrichment model for the National Vulnerability Database. Previously, the agency aimed to enrich nearly all published CVEs with CVSS scores, CPE mappings, and CWE classifications. Now, full enrichment is reserved for three categories: CVEs listed in CISA’s Known Exploited Vulnerabilities catalog (targeted within one business day), CVEs affecting software used by the U.S. federal government, and CVEs tied to “critical software” as defined under Executive Order 14028. All other CVEs are placed in a “Not Scheduled” status, meaning they may never receive enrichment unless specifically requested via email to nvd@nist.gov — and even then, there’s no guaranteed timeline. NIST also stopped duplicating CVSS scores when the submitting CNA already provides one. This change formalizes a drift that had been visible for years, but now it’s an official policy instead of an unstated practice.

NIST’s Shift in Vulnerability Enrichment: What Container Security Teams Need to Know
Source: www.docker.com

Why did NIST decide to narrow its vulnerability enrichment?

The primary driver behind NIST’s decision is the explosive growth in CVE submissions. Between 2020 and 2025, the number of CVEs published annually surged by 263%. In Q1 2026 alone, submissions were roughly a third higher than the same period in 2025. This increase stems from more CVE Numbering Authorities (CNAs), more open-source projects running their own disclosure processes, and more automated tools that surface vulnerabilities that would not have become CVEs a few years ago. NIST’s enrichment resources simply could not keep pace. By focusing on the most critical vulnerabilities—those exploited in the wild, those affecting federal systems, and those in critical software defined by Executive Order—the agency aims to allocate its limited capacity where it has the greatest security impact. For container security programs that assumed NVD would enrich everything, this shift forces a reassessment of how to prioritize vulnerability response.

How does this change affect container security and vulnerability scanning?

Container security programs have historically relied on NVD enrichment as a foundational layer for scanning, prioritization, and SLA workflows. Tools like container image scanners parse NVD’s CVSS scores and CPE mappings to determine which CVEs are most severe and whether they apply to a given software package. With NVD now leaving many CVEs unenriched, these tools will have incomplete data. Scanners may either ignore “Not Scheduled” CVEs entirely (creating blind spots) or treat them all as high severity (causing alert fatigue). Compliance frameworks that mandate CVSS-based SLAs may become impossible to follow for unenriched vulnerabilities. For example, if a scanner detects a CVE in a container image but NVD has not assigned a score, security teams cannot automatically apply a prioritization policy. This disruption hits hardest for organizations that moved quickly to containerization without building alternative enrichment pipelines. The old assumption that NVD would always provide authoritative enrichment no longer holds.

Can organizations still get a CVE enriched by NIST if they need it?

Yes, but with caveats. NIST allows organizations to request enrichment for specific CVEs by emailing nvd@nist.gov. However, there is no service-level agreement or defined timeline for fulfillment. Given the volume of requests expected and NIST’s stated resource constraints, responses may be slow or nonexistent for less critical vulnerabilities. The process is essentially a manual exception path, not a scalable solution for enterprises tracking thousands of CVEs daily. Additionally, NIST will prioritize requests that align with its three enrichment categories—exploited vulnerabilities, federal software, and critical software—so requests for other CVEs may be deprioritized further. For container security teams, relying on this email-based system is impractical. Instead, organizations should invest in alternative enrichment sources, such as vendor-supplied data, community-driven feeds, or commercial threat intelligence services that independently score and map CVEs. The NIST request option is a safety net, not a replacement for a robust enrichment strategy.

Which CVEs will still receive full enrichment under the new model?

NIST has outlined three clear categories that will continue to get full enrichment, with the first category targeted for completion within one business day. First, any CVE listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog receives immediate priority. Second, CVEs that affect software used within the U.S. federal government are enriched as a matter of operational need. Third, CVEs tied to “critical software” as defined by Executive Order 14028 are covered. Outside these three buckets, CVEs are placed in a “Not Scheduled” status. Importantly, NIST has also backdated this policy: all CVEs published before March 1, 2026 that were not already enriched have been moved to “Not Scheduled.” That means even historical vulnerabilities may now lack scoring and mappings. For container security teams, the key takeaway is that only a tiny fraction of total CVEs will be enriched. Most vulnerabilities affecting custom or niche container images—especially those not in the KEV catalog or used by the government—will fall into the unenriched category.

NIST’s Shift in Vulnerability Enrichment: What Container Security Teams Need to Know
Source: www.docker.com

What is Executive Order 14028 and why does it define “critical software” for enrichment?

Executive Order 14028, titled “Improving the Nation’s Cybersecurity,” was signed by President Biden in May 2021. It mandates that NIST develop standards and guidelines for securing the software supply chain. Under this EO, NIST defined “critical software” as software that performs functions critical to trust, such as operating systems, cloud platforms, network devices, and hardware with firmware. The definition was later refined in NIST Special Publication 800-218. In the context of the NVD enrichment change, vulnerabilities affecting software that meets this definition are prioritized because such software underpins national security, economic stability, and critical infrastructure. For container security, this means that vulnerabilities in base images like Alpine, Ubuntu, or Red Hat may not automatically qualify unless those images are used in systems designated as critical by the federal government. However, if your container runs software that falls under the EO’s definition—such as a web server used for federal services—then related CVEs would be enriched. Understanding this definition helps security teams anticipate which vulnerabilities in their container environments will receive NIST attention.

How should container security programs adapt to this new NVD model?

First, security teams must stop treating NVD enrichment as a guaranteed service. Instead, build a multi-source vulnerability intelligence pipeline. Use vendor CVSS scores directly from the CVE Numbering Authorities (CNAs) where available. Integrate with commercial threat intelligence feeds that supplement NVD data with their own scoring algorithms, such as EPSS or custom risk scoring. Second, adjust prioritization policies to handle “Not Scheduled” CVEs. For example, assign a temporary placeholder severity based on factors like exploitability evidence, reachability analysis, and asset criticality rather than waiting for a CVSS score. Third, review compliance obligations. If your SLAs rely on CVSS thresholds from NVD, renegotiate them with internal stakeholders and auditors to account for the new reality. Fourth, automate enrichment requests only for truly high-value CVEs (e.g., those flagged by runtime detection as actively attacked). Finally, consider participating in community efforts like OSS-Fuzz or OpenCVE to share enrichment costs. The NVD shift is permanent; the most resilient programs will be those that diversify their enrichment sources and automate prioritization independent of NVD’s now-limited data.

Tags:

Recommended

Discover More

Cloudflare's Swift Response to the "Copy Fail" Linux Vulnerability: Lessons in PreparednessAutomation as the Backbone of Modern Cybersecurity: Beyond AI HypeHow Solid-State EV Batteries Are Redefining Clean Energy in Defense and BeyondA Blueprint for High-Quality State Preschool: Balancing Funding and StandardsUnderstanding GitHub Copilot's Latest Plan Updates: What You Need to Know