NIST will now only enrich CVEs that meet priority thresholds, including those in CISA's KEV catalog, federal government software, or critical software under Executive Order 14028; all other CVEs will be marked 'Not Scheduled.' The change follows a 263% surge in CVE submissions from 2020 to 2025, with nearly 42,000 CVEs enriched in 2025 and about 10,000 vulnerabilities from 2025 still lacking a CVSS score. The shift is likely to pressure organizations that rely on NIST as a primary vulnerability-enrichment source, though it is framed as a risk-based operational adjustment rather than a negative industry shock.
This is a structural bottleneck, not a one-off process tweak. By explicitly triaging enrichment to exploitability-adjacent categories, NIST is effectively turning the NVD from a broad reference layer into a curated signal feed, which should widen the gap between organizations with their own vuln-intel pipelines and those that outsource prioritization to the database. The immediate beneficiaries are security platforms that can ingest raw CVE firehoses, cluster duplicates, infer severity, and map exposures to asset context; the losers are compliance-driven buyers and smaller MSSPs whose workflows depend on a complete, timely, government-grade score. Second-order, this should push budgets away from passive scoring and toward continuous exposure management, attack-path analytics, and KEV-driven remediation orchestration. That favors vendors selling endpoint telemetry, asset inventory, and automated prioritization because their value proposition improves when authoritative enrichment becomes sparse and slower. It also raises switching costs for large enterprises that have standardized audit and control frameworks on NVD completeness; over the next 2-4 quarters, expect more internal tooling, more demand for threat intel APIs, and more friction in vendor risk assessments where “unknown” becomes the default state for long-tail CVEs. The contrarian risk is that this could be less bullish for cybersecurity spend than the market assumes: if NIST’s curated layer becomes the de facto reference, some buyers may conclude they can defer broad vulnerability management and focus only on KEV, compressing usage in lower-end scanners and some data-enrichment workflows. The bigger catalyst would be any rise in high-profile exploit events tied to currently unscheduled CVEs, which would force NIST to expand backlog handling and validate the need for broader enrichment. Watch for a 1-3 month lag in customer behavior: procurement changes will be slower than the operational scramble, but budget reallocation could hit within the next planning cycle.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
neutral
Sentiment Score
-0.05
