Full Report
NIST’s shift toward selective CVE enrichment creates significant visibility gaps for teams relying solely on the National Vulnerability Database. As AI accelerates vulnerability disclosure rates, organizations need independent, high-fidelity intelligence to prioritize risks that the NVD may now overlook.Key takeawaysNIST is pivoting to a prioritized enrichment model, focusing only on specific criteria like the CISA KEV catalog and federal software, which leaves a growing backlog of unenriched vulnerabilities.Tenable remains unaffected by these changes because it doesn’t depend on the NVD to develop checks and scoring metrics.Contextual intelligence is now a requirement for survival, as Tenable identifies significantly more "exploited in the wild" vulnerabilities and provides quick identification of known exploited vulnerabilities.The National Institute of Standards and Technology (NIST) will no longer attempt to enrich all CVE entries in the National Vulnerability Database (NVD). The decision, announced last week, is bad news for organizations that depend entirely or primarily on the NVD for vulnerability metrics. It’s also a negative for organizations whose vulnerability scanning program relies on the Common Platform Enumeration (CPE) enrichment that is included in the NVD records. Instead, NIST said it will prioritize for enrichment the CVEs that meet the following criteria: CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) CatalogCVEs for software used within the federal governmentCVEs for critical software as defined by the 2021 Executive Order 14028NIST’s decision was driven by the skyrocketing number of published CVEs, a years-long trend that is expected to continue to intensify, as AI accelerates the pace of vulnerability discovery and disclosure. In 2025, the annual record was broken again with more than 40,000 published CVEs. About two years ago, NIST acknowledged that it was struggling to enrich all CVEs, leading to a big backlog.What does this mean for Tenable customers?We have written in the past about previous delays in NVD enrichment and about the concerns raised when the CVE program was at risk of losing funding. As was true then, Tenable does not depend on NVD for scoring metrics or for developing checks for vulnerabilities. We have developed our own internal Vulnerability Intelligence Database which drives our internal prioritization and content. This database is also available in our products to help customers better prioritize remediation efforts and understand the full context required to understand the risk presented by a new vulnerability.From our vulnerability intelligence we can also better understand some of the implications of this prioritization strategy and where the gaps might become problematic. While the CISA KEV is a great resource, its more limited scope and selection criteria means that some exploited vulnerabilities do not make the list. Specifically, based on our own intelligence, we track an additional 355 vulnerabilities as exploited in the wild -- 1,924 compared to the CISA KEV’s 1,569 currently. Additionally, we have a median lead time of 3.2 days for identifying known exploited vulnerabilities. When time-to-exploit is measured in days or even hours, rather than weeks, 3.2 days can make a significant difference in staying ahead of attackers.Additionally, because we develop our vulnerability coverage directly from vendor advisories rather than depending on NVD or MITRE, we’re able to deliver accurate and timely checks for emerging vulnerabilities. This data also helps to build out our vulnerability intelligence so that we have comprehensive contextual data that would typically be pulled from NVD – data such as CVSS metrics, valuable references, and affected products and fixed versions.What the NVD delays mean for security teamsOngoing dependence on NVD for vulnerability data has always had its limitations given existing delays. While NIST’s new CVE-enrichment strategy aims to take a risk-centric approach, we can see that there are likely to be critical gaps – and those gaps create real risk for security teams. Thus, as the pace of vulnerability disclosures and real-world exploitations accelerates, further fueled by AI, security teams must have access to a reliable source of contextual intelligence to make the rapid, informed prioritization decisions necessary to protect their environments. Tenable Vulnerability Management's vulnerability database search interfaceWith Tenable’s Vulnerability Intelligence, it is possible to quickly understand the real world risk that a vulnerability presents based on available proof of concept data, evidence of real world exploitation, association with ransomware, and many other critical data points. Vulnerability Intelligence is available in Tenable Vulnerability Management,Tenable Security Center and Tenable One.Additionally, that same contextual data is incorporated into Tenable Cloud Security and the Tenable One Exposure Management Platform enabling teams to quickly focus on the highest risk vulnerabilities. Tenable One compiles a comprehensive asset inventory of your environment, allowing you to check which of your applications have, for example, a recently disclosed zero-day vulnerability. Because Tenable One brings together all of the data from multiple sensors into a single unified view, it can help you understand important context like account privileges, external exposure, asset properties, attacker pathways, and more. In short, Tenable One gives you full visibility across your entire infrastructure, helping you understand where your organization is exposed, and prioritize remediation based on which targets present the most significant risk.Meanwhile, Tenable’s Vulnerability Prioritization Rating (VPR) wraps all of this contextual data up into a score that can be used for prioritization based on either the numeric score or the risk rating (low, medium, high, critical). VPR uses machine learning algorithms to predict the likelihood of exploit activity in the subsequent 28 days and incorporates threat intelligence, vulnerability characteristics, and insights from the Tenable Research Special Operations team to pinpoint the critical 1.6% of vulnerabilities that represent actual risk. By joining the contextual data about the vulnerabilities with the Asset Criticality Rating (ACR) of affected assets, you can quickly go from triage to informed prioritization and remediation action, reducing the risk of exploitation.Learn more“Why Early Visibility Matters: Risk Lurks in the Vulnerability Disclosure Gaps”“Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog”“Mind the Gap: How Waiting for NVD Puts Your Organization at Risk”
Analysis Summary
# Industry News: NIST Scales Back NVD Enrichment, Reshaping Vulnerability Management Priorities
## Summary
The National Institute of Standards and Technology (NIST) has officially pivoted to a selective enrichment model for the National Vulnerability Database (NVD), ending its attempt to provide metadata for every published CVE. This shift creates significant visibility gaps for organizations relying on the NVD, accelerating a market transition toward private high-fidelity intelligence providers.
## Key Details
- **Date:** February 2024 (Primary policy shift finalized; Tenable update published recently)
- **Companies Involved:** NIST (National Institute of Standards and Technology), CISA (Cybersecurity and Infrastructure Security Agency), Tenable
- **Category:** Industry Policy Shift / Market Analysis
## The Story
Faced with a record-breaking influx of over 40,000 CVEs annually—a volume exacerbated by AI-driven vulnerability discovery—NIST has announced it will no longer provide full enrichment (such as CVSS scores, CPE platform tags, and reference links) for all vulnerabilities. Instead, NIST will prioritize enrichment for:
1. Vulnerabilities appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
2. Software used within the federal government.
3. Critical software defined by Executive Order 14028.
As a result, a massive backlog of "unenriched" vulnerabilities is growing. Private security firms like Tenable are utilizing this development to highlight the limitations of public databases. Tenable argues that their proprietary research and "Vulnerability Intelligence Database" allow them to bypass the NVD’s bottlenecks, identifying exploited vulnerabilities up to several days faster than the CISA KEV list and covering 22% more "in the wild" exploits than current federal catalogs.
## Business Impact
### For the Companies Involved
- **NIST:** Shifts its role from a comprehensive database to a targeted "risk-centric" federal resource, acknowledging it can no longer keep pace with the scale of modern software disclosures.
- **Tenable:** Positions itself as an essential alternative. By decoupling from the NVD, Tenable emphasizes its reliability and the value of its proprietary Vulnerability Prioritization Rating (VPR).
### For Competitors
- **Legacy Tools:** Scanning vendors that rely exclusively on NVD/CPE data for detection or scoring are now at a significant disadvantage, as they will likely suffer from blind spots and delayed remediation timelines.
- **Intelligence Providers:** Firms like Snyk, Rapid7, and Qualys will likely see increased demand as organizations look for commercial alternatives to the now-fragmented public data.
### For Customers
- **Increased Risk:** Organizations relying on free public data face "visibility gaps" where new vulnerabilities may exist in their environment without a severity score or proper identification tags.
- **Vendor Lock-in:** Customers may find themselves forced to migrate to premium "exposure management" platforms to maintain the same level of security posture they previously managed with basic tools and public data.
### For the Market
- **Privatization of Intelligence:** We are witnessing the gradual "privatization" of baseline cybersecurity intelligence. Accurate risk assessment is transitioning from a public good to a commercial premium service.
## Technical Implications
The primary technical hurdle is the loss of **Common Platform Enumeration (CPE)** data. Without CPE tags, automated scanners cannot easily match a CVE to the software installed on a system. This forces security teams to rely on vendor-specific "checks" rather than standardized global metadata. Furthermore, the 3.2-day median lead time Tenable claims for identifying exploits is critical, as contemporary threat actors often weaponize vulnerabilities within hours of disclosure.
## Strategic Analysis
- **Market Positioning:** Tenable is shifting its message from "Scanning" to "Exposure Management," positioning its proprietary data as a survival requirement in an AI-accelerated threat landscape.
- **Competitive Advantage:** The ability to provide an independent "Vulnerability Prioritization Rating" (VPR) that analyzes the 1.6% of vulnerabilities representing actual risk is a strong clinical differentiator against the noise of 40,000+ annual CVEs.
- **Challenges:** The primary challenge is the "fragmentation of truth." If every vendor has their own intelligence database, security teams may struggle with inconsistent risk scores between different tools in their stack.
## Industry Reactions
- **Analyst Opinions:** Analysts generally view this as an inevitable consequence of the scale of modern software. The consensus is that public agencies can no longer support the entire private sector's data needs at the speed required.
- **Market Response:** There is a notable uptick in the marketing of "Cyber Threat Intelligence" (CTI) feeds as essential components of vulnerability management programs.
## Future Outlook
- **The "AI Feedback Loop":** As AI continues to flood the system with new CVEs, NIST’s backlog will likely become permanent for non-critical software.
- **Custom Prioritization:** Expect to see "internal KEVs" become a standard business practice, where companies build their own priority lists based on their unique asset criticality and local threat intelligence.
## For Security Professionals
Practitioners must audit their current toolsets to determine how much of their workflow relies on the NVD. If your scanning engine or risk dashboard goes quiet because an entry lacks a CVSS score or CPE tag, your organization is at risk. Transitioning to a model that incorporates vendor-supplied or independent intelligence is no longer optional for mature programs.