How NIST's Cutback of CVE Handling Impacts Cyber Teams

THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS How NIST's Cutback of CVE Handling Impacts Cyber Teams Industry and ad hoc coalitions appear poised to help fill the gap created by NIST's decision to cut back on CVE data enrichment. Becky Bracken,Senior Editor,Dark Reading April 17, 2026 7 Min Read SOURCE: GRANDBROTHERS VIA ALAMY STOCK PHOTO The chilly air-conditioned Scottsdale ballroom hardly stirred while Harold Booth, program manager for NIST's National Vulnerability Database (NVD), discussed a major operational change — his organization is scaling back its operations and will prioritize which CVEs are chosen for enrichment, rather than taking them all on.  It was an admission that the scope of the NVD had grown beyond the capacity of the National Institute of Standards and Technology (NIST) to administer and didn't surprise anyone in the VulnCon26 audience.  This particular collection of insiders and industry veterans is well aware of how difficult it has been for NIST to keep up with a mounting backlog of CVEs, particularly after NIST lost 12% of its federal funding in 2024, prompting a talent exodus last year. Likewise, cyber practitioners across the country have been watching NIST and the CVE program struggle and have been bracing for cutbacks in services.  Related:FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats Booth explains why NIST decided to prioritize certain CVEs for enrichment data, which consists of adding information about impacted products, attack vectors, and other relevant details to the CVE file. "Our prioritization criteria are designed to meet most users' needs by allowing us to focus on CVEs with the greatest potential for widespread impact," he tells Dark Reading. "Organizations will still have access to all CVEs in the NVD." CVSS scores will still be available from either the CVE Numbering Authority (CNA), Cybersecurity and Infrastructure Security Agency (CISA), or the NVD. In addition, he adds, users can still request enrichment or scoring for a specific CVE. LOADING... "We recognize that some of these changes will require organizations downstream to adapt," Booth says. "That is why we are also working to develop the automated systems and workflow enhancements that will allow us to better meet the needs of the cybersecurity community long-term."  Practitioners and cybersecurity leaders across the country have also been watching NIST, and the CVE program more broadly, struggle to keep up.  "Staffing cuts and proliferation of vulnerabilities made this inevitable," according to Jessica Sica, chief information security officer (CISO) at Weave, a  telecom software vendor. "And I think a lot of security practitioners were just waiting for this other shoe to drop. I do think some of the changes are good. Why worry about a vulnerability that can't be exploited or is low in severity? Much like companies need to prioritize risk and where to focus, NIST shifting to a risk prioritization models is not a bad thing." Related:Russia's 'Fancy Bear' APT Continues Its Global Onslaught But, Sica argues, the loss of NIST enrichment data is a big deal for cybersecurity practitioners.  "The bottom line is some stuff will get missed," Sica says. "A lot of security vendors rely on the NVD as their source of information and what companies need to patch. It's been talked about for the past year that the private sector or perhaps open source needs to step up and provide something because it's clear we cannot currently rely on NIST as a comprehensive and reliable source of vulnerability information."  The CVE Enrichment Problem Broadly, MITRE and a group of designated CVE Numbering Authorities, made up of trained vendors, researchers, bug bounty providers, and consortium organizations, are responsible for collecting reports of vulnerabilities, assigning CVE ID numbers, and creating a record with the available information. Currently, there are 504 CNAs across 42 countries, with one member declared with no country affiliation. In 2025, this group created around 40,000 CVE records, and according to CISA's chief of vulnerability response, Lindsey Cerovnik, it's on track to generate as many as 60,000 by the end of 2026.   In addition, enrichment meta data is deeply useful for defenders trying to track where vulnerabilities could lurk in their systems, but it's also labor intensive to gather and report. Enrichment includes a review of the reference materials provided along with the CVE, as well as a manual Internet search for publicly available details on the exploit. The sheer volume of CVEs being created is simply too large to handle each one by hand any longer.  Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers Making the enrichment process even more onerous is the flimsy amount of information currently required to file a CVE. Cernovik explained she is looking to require more information at the time a CVE is filed and help standardize the process. Another speaker, MITRE's CVE/CWE project leader, Alec Summers, noted all that's required for a CVE is an ID, a brief description, and a reference to the product impacted. That bare bones data leaves a lot of work for groups like those at NIST working on the NVD to fill out. But those changes are still just under consideration and not yet on the horizon to be implemented, Cernovik explained.  Former CISA technical adviser Bob Lord agrees that would be a helpful step.  "Every element NVD adds after a CNA issues a CVE record (application name, class of coding error, exploitability metrics, etc.) can and should be provided by the CNA upstream, not appended downstream," Lord says. "CVE records should be complete, accurate, and timely at the time of issuance."  Lord is a part of the CVE Consumer Working Group along with Dick Brooks, co-founder and lead software engineer at Business Cyber Guardian, and adds the delayed publication of CVE details by software vendors also bogs down the process. "Many software manufacturers reserve CVEs and publish security advisories but fail to update the corresponding CVE records within the required 24-hour period," Brooks says. "This has become a growing problem, particularly with Google, which often publishes advisories and then leaves the CVE records incomplete for weeks. While short delays of a day or two may be tolerable, extended gaps undermine trust in CVE timeliness and disrupt vulnerability research workflows. In contrast, Apple generally stays within the 24– [to] 48-hour guideline, demonstrating that timely publication is feasible."  How Cyber Teams Can Adapt to Less NVD Data  In the meantime, cybersecurity teams will need to move to make up for the loss of enrichment data, according to Shane Fry, chief technology officer at RunSafe Security.  "Anthropic's Mythos highlights why NIST is making this move in the first place," Fry says. "They have already seen a surge in CVE submissions over the past year and have not been able to keep up. Mythos and other tools for AI-assisted vulnerability will only add to the volume of vulnerabilities disclosed. It's a problem the industry has been aware of for some time."  So without the ability to keep up with the sheer volume of CVEs cyber teams need to pivot, Fry adds.  "The way forward will have to emphasize building defenses into software itself to prevent the exploit of bugs and zero-days even before patches are available or the vulnerability is disclosed," he advises.  Brooks says cyber teams are going to have to get more proactive about chasing down vulnerability information.  "CVEs are of limited value. It's not always easy to identify the products in an end user environment that may be affected by a CVE," Brooks says. "This requires end users to reach out to the product producer for a definitive answer to the question, 'Is my product affected?'" Industry expert Adam Shostack recommends that in the wake of the NIST announcement, it's up to organizations to speed up patching — a lot.  "I don't know how any system — CVE, a successor, or a corporate system — stays up to date if they require human analysis as part of their decisions," Shostack says. "For many companies, the unavoidable conclusion is they probably need to grease the patch path and then manage down the risk of malware in that path."  Shostack in February wrote a detailed description of how to accomplish this, along with guidance to "really ratchet down the blast zones" that could be impacted by potential vulnerabilities.  Moving forward, it might be useful for the cybersecurity community to add vulnerability reporting standards into procurement language, according to Brooks, who is working on a similar initiative with the US energy sector. He hopes it could serve as a model for cybersecurity as well.  "The US energy industry is exploring new procurement language to improve the timeliness of product vulnerability reporting as soon as a product vulnerability is confirmed and before a CVE is publicly released," Brooks says. Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! About the Author Becky Bracken Senior Editor, Dark Reading Becky Bracken is a senior editor with Dark Reading who brings decades of journalism experience across, radio, print, online and video channels. Becky lends her particular voice and cybersecurity expertise to the Dark Reading Confidential podcast as the host and producer, and moderates the Dark Reading editorial webinars. In addition, she oversees the site's Commentary section, hosts Dark Reading's Black Hat News Desk, and contributes regularly as a writer and reporter. Prior to joining Dark Reading, Becky covered cybersecurity and hosted webinars for Threatpost. Other national media outlets she has contributed to include PBS, SheKnows, Complex, and more.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Russia Pivots, Cracks Down on Resident Hackers by Nate Nelson, Contributing Writer OCT 22, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE