8 Critical Updates to NVD Enrichment: What Container Security Teams Must Know Now
On April 15, NIST officially narrowed its enrichment model for the National Vulnerability Database. While most CVEs will still be published, the agency will now assign CVSS scores, CPE mappings, and CWE classifications to only a select subset. This change formalizes a trend that has been evident for the past two years, and it directly challenges the assumption that NVD serves as a comprehensive secondary data layer for container security programs. Below are the eight most important things your team needs to reassess.
1. The Fundamental Shift in NVD Enrichment
NIST’s announcement marks a clear departure from its historical role as a full-coverage enrichment provider. Previously, most CVEs received CVSS scores, CPE mappings, and CWE classifications automatically. Now, only three specific categories of vulnerabilities will get that treatment. This means container scanners and compliance tools that relied on NVD as their primary enrichment source must adapt their workflows. The change is not temporary—NIST stated it does not intend to return to full enrichment. For security teams, this necessitates a structured review of how they prioritize and manage vulnerabilities.
2. The Three Categories That Still Receive Full Enrichment
NIST will continue to fully enrich only three types of CVEs. First, any vulnerability listed in CISA’s Known Exploited Vulnerabilities catalog will be enriched within one business day. Second, CVEs affecting software used within the federal government remain a priority. Third, vulnerabilities impacting “critical software” as defined by Executive Order 14028 will also receive full treatment. These categories ensure that the most dangerous and widely used vulnerabilities are still covered, but everything else falls outside this scope.
3. What Happens to All Other CVEs
All CVEs that do not fall into the three priority categories are now moved to a new “Not Scheduled” status. This includes the vast majority of vulnerabilities. They will still be published in the NVD, but will lack the enriched data (CVSS, CPE, CWE) that many container security tools depend on. Additionally, any unenriched CVEs published before March 1, 2026 have been retroactively placed into the “Not Scheduled” category. This retroactive action means historical vulnerabilities may also lose their enrichment status.
4. Requesting Enrichment from NIST
Organizations can request enrichment for specific CVEs by emailing nvd@nist.gov. However, NIST provides no service-level timeline for such requests. This means that even if you urgently need enrichment for a vulnerability affecting your container environment, you cannot rely on a prompt response. Security teams should have alternative enrichment sources ready, such as commercial threat intelligence feeds or open-source projects like Vulnrichment.
5. The Surge in CVE Submissions Driving the Change
NIST cited a 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running roughly a third higher than the same period a year earlier. This explosion is due to more CNA organizations, more open-source projects running their own disclosure processes, and better tooling surfacing vulnerabilities that previously went unreported. The sheer volume made full enrichment untenable, pushing NIST to prioritize based on impact and exploitation status.
6. How Container Scanners Are Affected
Container security programs that rely on NVD enrichment for automated vulnerability prioritization and SLAs are now at a disadvantage. Without CVSS scores, many scanners will see unenriched CVEs as missing key data, potentially treating them as lower priority or ignoring them altogether. This could lead to critical vulnerabilities being missed if they aren’t in the three enrichment categories. Your scanning tools must be updated to handle “Not Scheduled” status and to fetch enrichment from secondary sources.
7. NIST Stopped Duplicating CVSS from CNAs
Another important change: NIST will no longer duplicate CVSS scores when the submitting CNA (CVE Numbering Authority) already provides one. Previously, NVD might provide its own independent CVSS score even if the CNA had supplied one. Now, if a CNA provides a CVSS score, NIST will use that and not add its own. This means scores may vary across sources, and container security programs should expect some CVEs to have only the CNA’s assessment, which may differ from historical NVD-derived scores.
8. What Your Container Security Program Should Do Now
First, audit your current vulnerability scanning pipeline to identify which tools rely on NVD enrichment. Second, integrate alternative enrichment sources such as the CISA KEV catalog, commercial feeds, or community databases. Third, adjust your prioritization logic to handle “Not Scheduled” CVEs—treat them with suspicion and potentially raise their priority based on other indicators. Fourth, set up monitoring for NIST’s email-based enrichment request system, but don’t depend on it. Finally, review your SLAs and compliance controls to ensure they don’t break when enrichment is missing.
Conclusion: NIST’s narrowed enrichment model is a permanent shift that demands immediate attention from container security teams. The era of assuming full NVD coverage is over. By understanding the three categories of continued enrichment, preparing for missing enriched data, and diversifying your vulnerability data sources, you can maintain effective security without relying on a single, diminishing resource. Act now to reassess your scanning and prioritization workflows before critical vulnerabilities slip through the cracks.