10 Key Shifts in NVD Enrichment That Demand a Container Security Rethink
The National Vulnerability Database (NVD) has long been the gold standard for vulnerability enrichment, providing CVSS scores, CPE mappings, and CWE classifications that container security tools and compliance programs rely on. But on April 15, NIST announced a major shift: a prioritized enrichment model that leaves most CVEs unenriched. This change formalizes a trend observable over the past two years—and it demands a structured reassessment of any security program built on the assumption that NVD would always be the authoritative secondary layer. Here are ten things you need to know about this pivotal update and how it affects your container security workflows.
1. NIST Formally Adopts a Prioritized Enrichment Model
On April 15, NIST published a new policy that moves away from full-coverage enrichment of all CVEs. Instead, only select vulnerabilities receive detailed analysis—including CVSS scores, CPE mappings, and CWE classifications. The decision follows a steady decline in enrichment coverage over the past two years, but now it's official: NIST no longer intends to return to its previous practice. For container security programs that automatically pull NVD data to prioritise and triage vulnerabilities, this means relying on unenriched CVEs will require new processes or alternative enrichment sources.
2. Three Categories of CVEs Continue to Get Full Enrichment
NIST will continue to fully enrich CVEs in three specific buckets. First, vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog are targeted within one business day. Second, CVEs affecting software used by the U.S. federal government remain a priority. Third, “critical software” as defined by Executive Order 14028 also qualifies for full enrichment. These categories cover high-impact, high-visibility vulnerabilities, but many CVEs affecting widely used container images, open source libraries, and common infrastructure components will fall outside these groups.
3. Everything Else Moves to ‘Not Scheduled’ Status
All CVEs that do not fall into the three priority categories are now assigned a “Not Scheduled” status in the NVD. This status indicates that NIST has no current plan to enrich them. Furthermore, any unenriched CVEs published before March 1, 2026 have been retroactively moved into this category as well. For container security scanners that rely on NVD enrichment to filter or score vulnerabilities, this means a large and growing pool of CVEs will lack the metadata needed for automated prioritisation—forcing teams to either ignore those CVEs or invest in manual triage.
4. Organizations Can Request Enrichment, but No SLA Exists
NIST has provided a way for organizations to request enrichment for specific CVEs by emailing nvd@nist.gov. However, there is no service-level agreement (SLA) attached to this process. Enrichment may take weeks, months, or may never happen if NIST deems the request low priority. For container security programs that need timely assessments to meet compliance SLAs (e.g., 30-day patch windows), this ad-hoc process is unreliable. Security teams should consider alternatives such as independent CVSS scoring, third-party threat intelligence feeds, or crowd-sourced enrichment platforms.
5. The Volume of CVEs Has Exploded, Driving the Change
NIST cited a 263% increase in CVE submissions between 2020 and 2025 as a primary reason for the shift. The first quarter of 2026 ran roughly one-third higher than the same period in 2025. This growth is fuelled by more CVE Numbering Authorities (CNAs), more open-source projects running their own disclosure processes, and more automated testing tools surfacing vulnerabilities that would not have reached CVE status a few years ago. The sheer volume made full enrichment unsustainable—especially given NIST’s limited resources.
6. CNAs Can Now Provide Their Own CVSS Scores
Historically, NIST would independently calculate and assign CVSS scores even when the original CVE submitter (the CNA) provided one. Under the new model, NIST no longer duplicates CVSS scores if the CNA has already supplied them. This means that if a container image vendor or open-source project has already published a CVSS score with their CVE, NIST will simply pass that through without additional analysis. Security teams must now evaluate the quality and consistency of CVSS scores provided by CNAs, which may vary widely in accuracy and methodology.
7. The Drift Was Visible Long Before the Announcement
For anyone pulling NVD feeds over the past two years, the decline in enrichment coverage was already evident. Many CVEs appeared with empty CVSS, CPE, or CWE fields. The April 15 announcement simply confirmed what observant security professionals had noticed: the NVD was no longer keeping up. Container security programs that had already started supplementing NVD data with alternative sources—such as OSV, GitHub Advisory Database, or commercial threat feeds—were better prepared. Others that relied exclusively on NVD now face a significant gap.
8. Container Scanners Must Rethink Prioritisation Logic
Most container vulnerability scanners rely on CVSS scores and CPE mappings from NVD to compute risk scores, filter false positives, and drive ticketing workflows. Without full enrichment, these scanners will either ignore large numbers of unenriched CVEs or treat them with a default low priority—potentially missing critical vulnerabilities that happen to lack enrichment. Security teams should reassess their scanner configurations, consider using additional enrichment sources, and introduce manual verification for high-risk software components. Some teams may also need to adjust internal SLAs to account for delayed enrichment.
9. Compliance Programs Must Adapt Their Evidence Collection
Many compliance frameworks (e.g., FedRAMP, SOC 2, PCI DSS) require organisations to demonstrate that they are aware of and mitigating vulnerabilities in their container environments. In the past, NVD enrichment provided a standardised way to document that awareness. Now, compliance teams may need to show they have alternative processes for identifying unenriched CVEs, prioritising them, and tracking remediation. This could involve automated tooling that pulls from multiple databases, manual review of CVE descriptions, or partnerships with security research vendors for enriched feeds.
10. Proactive Steps for Your Container Security Program
Given the NVD’s new reality, container security programs should take immediate steps. First, map all critical software in your environment to the three priority categories to understand coverage gaps. Second, evaluate alternative enrichment feeds—such as the CVE Project’s own CNA-provided data, open-source vulnerability databases, or commercial services like VulnDB or Snyk. Third, update your vulnerability management policy to include a “no enrichment” SLA that triggers manual review. Fourth, train your security analysts on how to interpret unenriched CVEs using primary sources like commit logs, exploit databases, and vendor advisories.
The NVD change is not a crisis—it’s an evolution. By understanding what’s changing and how it affects your container security workflows, you can adapt before a reliance on outdated assumptions leads to blind spots. The security programs that thrive in this new landscape will be those that diversify their enrichment sources, build flexible prioritisation models, and embrace a more proactive approach to vulnerability management.