The National Institute of Standards and Technology (NIST) has announced it will narrow its focus for analyzing security vulnerabilities due to an overwhelming influx of defects. This change aims to ensure the long-term sustainability of the National Vulnerability Database (NVD), which has previously faced challenges including a funding lapse earlier this year that halted its operations.
Under the new policy, NIST will prioritize analysis for Common Vulnerabilities and Exposures (CVEs) that appear on the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerabilities catalog, are used within the federal government, or are deemed critical under Executive Order 14028. This represents a shift from its previous, broader approach to vulnerability assessment.
NIST Prioritizes Vulnerability Analysis Amidst Rising Defects
NIST reported analyzing nearly 42,000 vulnerabilities in the past year, noting a substantial increase in CVE submissions. Submissions have surged 263% from 2020 to 2025, and the trend shows no signs of slowing down. Indicators suggest that submissions in the first quarter of 2026 are already significantly higher than the same period in the previous year.
The surge in vulnerabilities is a widespread issue affecting various sectors. For example, Microsoft recently addressed 165 vulnerabilities in one month, marking one of the largest batches of defects the company has ever released.
Impact on the Vulnerability Database
CVEs that do not meet NIST’s newly defined criteria will still be listed in the NVD. However, these entries will not automatically receive the additional metadata and analysis that NIST previously provided. This prioritization strategy is intended to allow the agency to concentrate its resources on vulnerabilities with the most significant potential for widespread impact.
NIST stated that while unprioritized CVEs may still affect systems, they generally do not pose the same level of systemic risk as those falling into the prioritized categories. This approach seeks to balance the need to manage the growing volume of CVEs with maintaining the database as a reliable resource.
Industry Reaction and Future Implications
Researchers and threat hunters who work with CVE Numbering Authorities (CNAs) and vendors view NIST’s updated policy as a necessary adjustment. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, commented that NIST was significantly behind in classifying CVEs and this change allows for a more focused effort.
The shift is expected to influence the broader vulnerability research community. It may also lead to increased reliance on alternative sources of vulnerability information and potentially empower private companies and organizations that provide such data to assume greater prominence in cybersecurity defense strategies.
Caitlin Condon, vice president of security research at VulnCheck, previously noted that the sheer volume of vulnerabilities makes prioritization a persistent challenge for defenders. VulnCheck’s analysis of over 40,000 new vulnerabilities cataloged last year found that only a small fraction, just 1%, were actively exploited in the wild.
Additionally, NIST is working to reduce duplication of effort by leaning more on CNAs for initial assessments. CVEs that arrive with a reported severity score will no longer undergo a separate CVSS score evaluation by NIST, as stated by the agency. While NIST will continue to be the ultimate governmental authority for such assessments, the agency acknowledges these changes will affect its user base.
NIST emphasized that this risk-based approach is crucial for managing the current surge in submissions and aligning its efforts with user needs. The agency aims to ensure that the NVD remains a sustainable and accessible source of information on cybersecurity vulnerabilities by adapting to contemporary challenges.
Moving forward, NIST will continue to monitor the effectiveness of its new prioritization strategy. The agency will also likely assess the impact on the cybersecurity ecosystem and may consider further adjustments as the threat landscape evolves. The ongoing backlog of unenriched CVEs from earlier disruptions remains a point of attention for the NVD program.