Key Takeaways
- The National Vulnerability Database (NVD) is a foundational public‑good that enriches CVE identifiers with severity scores, affected systems, and remediation guidance.
- Explosive growth in vulnerability submissions (up 263 % from 2020 to 2025) has overwhelmed NIST’s 21‑analyst team, forcing a shift from universal enrichment to risk‑based triage.
- The new policy prioritizes CVEs that are actively exploited, affect federal systems, or involve “critical software” under Executive Order 14028; all others are marked “Not Scheduled” and remain unenriched unless requested.
- Structural fragility in the CVE program (MITRE funding volatility) and looming volume spikes—potentially exceeding 70,000 CVEs in 2026 with AI‑driven threat discovery—compound the strain.
- A narrowed enrichment model risks amplifying inequality, fragmenting the shared vulnerability reference, and eroding public trust, especially for small organizations that lack commercial threat‑intelligence budgets.
- Policymakers should treat NIST’s enrichment function as critical infrastructure, providing dedicated appropriations that scale with CVE volume and expanding analyst capacity to restore universal enrichment as the baseline.
- While automation and workflow improvements help, they cannot substitute for sustained resource investment; the marginal cost of full resourcing is low compared with the ecosystem‑wide value delivered.
Overview of the NVD and Its Role
The United States relies on the National Vulnerability Database (NVD) as a quiet but indispensable pillar of its cybersecurity ecosystem. Maintained by the National Institute of Standards and Technology (NIST), the NVD takes the raw Common Vulnerabilities and Exposures (CVE) identifiers assigned by MITRE and enriches them with expert analysis: severity scores (CVSS), affected product versions, remediation advice, and contextual notes. This enrichment transforms a simple list of flaw identifiers into a shared language that defenders, vendors, insurers, researchers, and government agencies use to prioritize patches and assess risk. Because the NVD is freely available, it functions as a public good that levels the playing field for organizations that cannot afford proprietary threat‑intelligence feeds.
Recent Changes by NIST
Faced with relentless growth in vulnerability disclosures, NIST announced a fundamental shift in how it handles CVE enrichment. Moving forward, the agency will no longer strive to enrich every submitted CVE. Instead, it will prioritize three categories: (1) vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation; (2) flaws affecting software used by the federal government; and (3) issues involving “critical software” as defined by Executive Order 14028. All other CVEs will remain searchable in the NVD but will be labeled “Not Scheduled,” meaning they will not receive the standard enrichment unless a specific request is made. This change reflects a pragmatic acknowledgment of resource limits rather than a strategic redesign of the vulnerability‑management process.
Drivers of Strain: Volume Growth and Funding Gaps
The pressure on NIST stems from a stark mismatch between workload and staffing. From 2020 to 2025, CVE submissions rose 263 %, and early‑2026 filings are already running roughly one‑third higher than the same period in 2025. Despite enriching a record number of vulnerabilities in 2025, the backlog continued to grow because the NVD program employs only 21 analysts—a fixed capacity with no ceiling on incoming reports. The situation became acute in early 2024 when a funding disruption left three‑quarters of submitted CVEs unprocessed at its peak, prompting alarm across the community. Although NIST had signaled the move toward triage earlier in the year, the underlying scarcity of personnel and budget has made the shift unavoidable.
NVD Under Stress: Institutional Fragility and External Pressures
Two factors beyond NIST’s control exacerbate the strain. First, the CVE program itself is administered by MITRE, a federally funded nonprofit whose contract with the Department of Homeland Security faced expiration in 2023, nearly causing a collapse. A last‑minute 11‑month emergency extension from CISA averted disaster, but the episode exposed the program’s institutional fragility. Although an independent, nonprofit CVE Foundation has been proposed to assume long‑term governance, it has not yet taken operational control, leaving the NVD perched on an uncertain foundation. Second, forecasters project that 50,000 new CVEs will be logged in 2026 even before accounting for AI‑driven vulnerability discovery, with some estimates climbing past 70,000 by year’s end. The European Union’s launch of its own European Vulnerability Database highlights growing allied concern about reliance on a single U.S.‑run source, though the EU effort still lacks the NVD’s depth of enrichment and global adoption.
What’s at Stake: Inequality, Fragmentation, and Trust
The shift to risk‑based triage carries significant downsides for the broader cybersecurity landscape. Universal enrichment currently reduces inequality by giving small businesses, rural municipalities, schools, hospitals, and nonprofits access to the same high‑quality vulnerability context that large firms can supplement with internal expertise or paid feeds. When the public baseline thins, these under‑resourced entities become less capable, not merely less efficient. Moreover, a two‑tier system—where some CVEs receive structured federal analysis while others remain unenriched—risks fragmenting the shared reference point that vendors, insurers, IT managers, researchers, and agencies depend on for consistent risk interpretation. Transparency labels like “Not Scheduled” improve clarity but do not erase the scarcity‑driven nature of the queue. As more actors turn to fragmented, proprietary judgments to fill gaps, the digital ecosystem suffers from inconsistent risk assessments and duplicated effort. Public trust also erodes: users have long treated inclusion in the NVD as a signal of vetted, authoritative review; moving forward, mere presence will no longer guarantee that level of scrutiny, a change rooted in overload rather than malice.
What Congress Should Do Now
To safeguard this critical infrastructure, Congress must treat NIST’s vulnerability enrichment function as essential and fund it accordingly. This entails dedicated appropriations that scale with the observed growth in CVE volume—likely on the order of tens of millions of dollars annually—and a several‑fold expansion of analyst capacity to revive universal enrichment as the baseline service. Such investment would be modest compared with the billions already spent on federal threat‑detection systems that rely on NVD data, and the marginal cost of full resourcing is low relative to the ecosystem‑wide value delivered. While automation, workflow improvements, and AI‑assisted prioritization can aid the process, they cannot absorb a 263 % surge in submissions without a commensurate increase in human expertise. Policymakers should heed the repeated pleas of cybersecurity experts who have labeled the NVD “critical infrastructure for a large variety of cybersecurity products” and act to reverse the current degradation before the downstream risks—amplified by AI‑accelerated exploit timelines—become irreversible.
Conclusion
The NVD remains vitally important; its relevance has not waned, but its strain has grown to a point where the quality of the public vulnerability baseline is deteriorating. Without decisive federal support, the United States risks normalizing a weakened, two‑tier vulnerability ecosystem at precisely the moment that adversaries are exploiting flaws faster than ever. Properly resourcing the NVD is not merely a budgetary line item; it is a strategic imperative for national cyber resilience.