NVD Enrichment Changes: What Container Security Teams Need to Know

Introduction

On April 15, the National Institute of Standards and Technology (NIST) announced a significant shift in how it enriches vulnerabilities in the National Vulnerability Database (NVD). While most Common Vulnerabilities and Exposures (CVEs) will continue to be published, fewer will receive the detailed enrichment—such as CVSS scores, CPE mappings, and CWE classifications—that many container security scanners and compliance tools have long depended on. This change formalizes a trend that has been apparent for the past two years, and it now makes clear that NIST does not plan to return to full-coverage enrichment. For teams that built their vulnerability management and prioritization workflows around the NVD as a comprehensive secondary layer over raw CVE data, this is a critical moment to reassess.

The New Prioritization Model

Under the updated model, NIST will fully enrich only three categories of CVEs:

• CVEs listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, processed within one business day
• CVEs affecting software used by the U.S. federal government
• CVEs affecting “critical software” as defined by Executive Order 14028

All other CVEs will be placed into a new “Not Scheduled” status. Organizations can still request enrichment by emailing nvd@nist.gov, but no service-level timeline applies. Additionally, NIST will no longer duplicate CVSS scores when the submitting CNA already provides one, and all unenriched CVEs published before March 1, 2026, have been moved into “Not Scheduled.” This means that the vast majority of CVEs in the NVD will no longer carry the enriched metadata that security tools historically relied on for automated risk scoring and software inventory matching.

Impact on Container Security Programs

For container security programs, the implications are substantial. Most container vulnerability scanners use NVD enrichment data—particularly CPE (Common Platform Enumeration) mappings—to match vulnerabilities against the software components in container images. Without CPE mappings, scanners struggle to accurately identify whether a CVE applies to a specific package. Similarly, CVSS scores drive automated prioritization, and CWE classifications help categorize vulnerability types. Without these, security teams may face an influx of “unknown severity” or “unmatched” vulnerabilities, increasing manual analysis workload and potentially slowing down incident response.

Compliance programs that rely on NVD data for SLAs and reporting will also need adjustment. For example, policies that require scanning and remediation within a certain number of days after a CVE receives a CVSS score become less practical when many CVEs will never receive that score from NIST. Security teams should prepare for a scenario where they must independently assess CVSS scores using other sources, such as the CVSS data from the CVE’s originating CNA (if available) or third-party vulnerability databases.

Behind the Decision: Rising CVE Volumes

NIST cited a 263% increase in CVE submissions between 2020 and 2025 as the primary driver. In the first quarter of 2026 alone, submissions ran roughly one-third higher than the same period the previous year. This surge reflects a broader expansion in the CVE ecosystem: more organizations are becoming CVE Numbering Authorities (CNAs), more open-source projects run their own disclosure processes, and more automated tooling surfaces issues that likely would not have become CVEs just a few years ago. The table below illustrates the growth trend:

Year	Published CVEs	Source
2023	~29,000	NVD

Given these volumes, NIST determined that maintaining full enrichment for every CVE was no longer sustainable. The agency now prioritizes enrichment for CVEs that pose the most immediate risk to government systems and critical infrastructure.

What Container Security Programs Should Do Now

To adapt to this change, container security teams should consider the following actions:

1. Review your scanning configuration. Many scanners offer options to fetch CVSS scores from alternate sources (e.g., the CNA directly, or third-party aggregators). Enable these to reduce reliance on NVD-only enrichment.
2. Build fallback enrichment logic. For CVEs in “Not Scheduled” status, implement automated processes to fetch CVSS from the CNA’s public advisory, or use community-driven scores from services like the FIRST CVSS SIG.
3. Update prioritization and SLA policies. Instead of tying remediation deadlines to NVD enrichment dates (like “fix within 30 days of CVSS assignment”), move to policy based on CVE publication date or confirmed exploitability (e.g., CISA KEV inclusion).
4. Monitor NVD enrichment requests. For critical vulnerabilities not falling into the three priority categories, consider submitting an enrichment request to NVD—but plan for asynchronous processing without guaranteed timelines.
5. Evaluate commercial vulnerability intelligence feeds. Several vendors provide enriched vulnerability data with broader coverage and faster processing than NVD. If your organization relies heavily on automated risk scoring, this may be a worthwhile investment.

Finally, keep an eye on NIST’s future announcements. The agency has indicated it may adjust its model based on community feedback. In the meantime, shifting from a single-source dependency to a multi-source enrichment strategy will help container security programs remain robust and responsive.