NIST Revamps CVE Framework, Focus on High-Impact Vulnerabilities

The National Institute of Standards and Technology (NIST) is changing its criteria for determining which software flaws fall under its Common Vulnerabilities and Exposures (CVEs) framework, citing challenges in keeping up with an ever-increasing volume of vulnerabilities.

It’s not easy for enterprise defenders to know how to organize the many vulnerabilities in their environments or know where to focus their patch management activities. Many of them rely on NIST, which manages the National Vulnerability Database (NVD), to help prioritize the more critical flaws. However, NIST is also overwhelmed by the number of vulnerabilities reported daily and has struggled to classify them and assign scores based on various exploitation risk factors, such as required privileges and user interaction. There is a significant backlog, and multiple efforts over the past five years have focused on helping NIST analyze vulnerability reports and enter them into the NVD.

Related:Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles

The announcement, posted on NIST’s website this week, indicate the situation may be more dire than previously understood. The agency is struggling to “keep up with growing submissions” and starting April 15, will provide details only for a subset of CVEs, NIST said.

How Will Vulnerabilities Be Prioritized?

NIST said the new approach will be “risk-based.” All submitted vulnerabilities will continue to be added to the NVD, but how they will be prioritized will change. The flaws that will be analyzed will fall under one of the following categories: those that are added to Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog and flaws found in critical software as defined by the Executive Order (EO 14028) on Improving the Nation’s Cybersecurity. The KEV catalog lists vulnerabilities in software used by the federal government that are actively being exploited and EO 14028 prioritizes flaws based on whether they run with elevated privileges and are designed to control access or operational technology, among other criteria.

Previously, NIST provided its own severity score for all CVEs along with descriptions and affected products. That will now change “reduce duplication of effort and allow us to focus our resources more effectively.”

The agency also addressed its ongoing extensive backlog challenges, which started in early 2024. NIST attributed its inability to clear the backlog to increasing submission rates. All backlogged CVEs will now be deferred and moved to the “Not Scheduled” category. One caveat: KEV are not included.

Related:Beauty in Destruction: Exploring Malware’s Impact Through Art

‘Real-world Exploitability’

Improved detection tools, artificial intelligence, more bug bounty initiatives, vastly expanded attack surfaces, and the rapid pace of code development all contributed to the exploding volume of vulnerabilities. NIST emphasized that CVE submissions “increased 263% between 2020 and 2025”, adding that the “first three months are 2026 are nearly one-third higher than the same period last year.”

Experts agree that NIST’s previous approach was bound to fail at some point and require a more shared responsibility model.

What NIST is acknowledging is something the research community has understood for years: You cannot centralize vulnerability triage at this volume and expect it to hold, explained Trey Ford, chief strategy and trust officer at Bugcrowd.

“The signal that actually drives remediation priority has always come from real-world exploitability, not database metadata, and that requires human researchers with adversarial instincts working continuously against live environments,” Ford said.

He anticipates that the next generation of vulnerability programs will be built around that kind of active, distributed signal – not quarterly enrichment cycles.

Is The New Approach Beneficial?

Related:Pwn2Own Underscores Secure Development Concerns

Active and proactive approaches will be essential moving forward. Attackers are exploiting zero-day, and known vulnerabilities at alarming rateswhile organizations face resource shortages.

The backlog forced a necessary shift from reactive compliance based on raw CVSS scores to proactive risk management driven by threat intelligence, says David Lindner, CISO of Contrast Security.

“NIST’s decision to prioritize high impact vulnerabilities signals the end of an era where security teams could rely on a single government database to categorize every software flaw,” Linder said. “Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics.”

The transition could disrupt legacy auditing workflows but may be better for organizations in the long run, revealed Linder. He views it as a way to demand that the industry prioritizes “actual exposure over theoretical severity.”

“Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug,” Linder says.