NIST will only automatically enrich a subset of CVEs (those in CISA's known‑exploited list, used by federal software, or meeting Executive Order criticality definitions), moving older backlog items into a 'Not Scheduled' state and limiting routine reanalysis and duplicate scoring. The agency says the change responds to a 263% surge in CVE submissions between 2020 and 2025 and intends to focus limited resources on systemic risk.
— Centralized triage of publicly listed vulnerabilities shifts who sees usable vulnerability data first, creating information asymmetries that affect patching, supply‑chain risk, and public accountability for software security.
BeauHD
2026.04.17
100% relevant
NIST policy change (effective April 15, 2026) to only enrich CVEs in CISA's KEV, federal‑used software, or 'critical' EO‑defined software; 263% submission surge and backlog reclassification to 'Not Scheduled'.
← Back to All Ideas