6 Critical Shifts in NVD Enrichment Every Container Security Team Must Address

On April 15, the National Institute of Standards and Technology (NIST) fundamentally altered how the National Vulnerability Database (NVD) enriches Common Vulnerabilities and Exposures (CVEs). This change, which formalizes a trend seen over the past two years, means that most CVEs will now lack the detailed CVSS scores, CPE mappings, and CWE classifications that container security tools have long depended on. For teams that built scanning, prioritization, and service-level agreement workflows around the NVD as a trusted secondary data source, this shift demands a structured reassessment. Below are six crucial developments every container security program should know.

1. NIST Ends Full-Coverage Enrichment – What Changed

NIST announced a prioritized enrichment model for the National Vulnerability Database. While the agency will continue to publish most CVEs, only a subset will receive the comprehensive metadata that vulnerability scanners and compliance frameworks historically relied on. This includes CVSS base scores, Common Platform Enumeration (CPE) mappings, and Common Weakness Enumeration (CWE) classifications. The decision marks a permanent departure from the previous assumption that every CVE would eventually get full enrichment. For container security programs, this means the NVD can no longer be considered a complete, authoritative secondary layer above the CVE list. The change affects how vulnerability data flows into scanning pipelines, risk scoring, and remediation workflows, requiring teams to adapt their processes to a less enriched landscape.

2. The Three Priority Categories for Full Enrichment

Only three categories of CVEs will continue to receive full enrichment under the new model. First, any CVE listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog will be enriched within one business day. Second, CVEs affecting software used within the federal government will get priority. Third, CVEs tied to “critical software” as defined by Executive Order 14028 will also be fully enriched. These categories cover high-impact vulnerabilities but leave the vast majority of CVEs without detailed metadata. Container security teams should note that if their container images include software that falls outside these categories, they may no longer receive automatic CVSS scores or CPE mappings from the NVD. This could impact automated vulnerability prioritization and compliance reporting, especially in environments not directly serving federal agencies.

3. The 'Not Scheduled' Status: What It Means for Your Scanning Pipeline

All CVEs not falling into the three priority categories now receive a “Not Scheduled” status in the NVD. This includes all unenriched CVEs published before March 1, 2026, which have been moved retroactively to this status. For container security programs, this means that the NVD feed will contain many entries with missing CVSS scores and no CPE mappings. Your scanning pipeline may flag these as low confidence or incomplete, potentially causing delays in prioritization or false negatives. Without enrichment, tools that rely on NVD metadata for severity scoring may default to unreliable estimations or ignore certain vulnerabilities altogether. Teams must update their scanning logic to handle “Not Scheduled” entries—either by ignoring them, using alternative enrichment sources, or building custom scoring based on other data points.

4. How to Request Enrichment (and Why It’s Not a Silver Bullet)

Organizations can request enrichment for specific CVEs by emailing nvd@nist.gov. However, NIST does not provide any service-level agreement on response times, and the request process is not designed for bulk automation. This means that if your container security program identifies a high-priority vulnerability that lacks enrichment and doesn’t fall into the three priority categories, you may face delays. In practice, the request mechanism is best suited for critical zero-day or high-impact vulnerabilities affecting proprietary or niche software. For the daily stream of container vulnerabilities, this manual process is impractical. Teams should not rely on this as a primary workaround; instead, they should explore other threat intelligence feeds or internal enrichment capabilities to fill the gap left by the NVD.

5. The Explosive Growth in CVE Submissions Behind the Decision

NIST cited a 263% increase in CVE submissions between 2020 and 2025 as a key driver for the change. In the first quarter of 2026, submissions ran roughly a third higher than the same period a year earlier. This surge stems from more CVE Numbering Authorities (CNAs), more open source projects running their own disclosure processes, and improved tooling that surfaces vulnerabilities that wouldn’t have reached CVE status years ago. The volume growth made it unsustainable for NIST to manually enrich every entry. For container security teams, this trend means the number of CVEs will continue to rise, but the proportion with full NVD enrichment will shrink. Consequently, relying solely on the NVD for vulnerability intelligence becomes less viable, and teams must invest in automated enrichment pipelines or alternative data sources to maintain risk visibility.

6. Why Container Security Programs Need to Rethink Their NVD Reliance

Container security programs have historically built scanning, prioritization, and SLA workflows assuming the NVD would provide authoritative CVSS scores and CPE mappings for all CVEs. This assumption is no longer valid. Without enrichment, vulnerability scanners may miss critical context, leading to misprioritized patches or compliance gaps. For example, a container image with a CVE that has no CVSS score may be ignored, even if the vulnerability is actively exploited. Additionally, CPE mappings are crucial for identifying affected software versions; without them, the accuracy of container image scanning decreases. Teams should reassess their vulnerability management lifecycle by incorporating multiple enrichment sources, such as vendor advisories, open source security databases, or commercial threat intelligence feeds. This shift may require updating automation scripts, revising SLAs, and training staff to interpret incomplete data.

7. Immediate Steps to Reassess Your Vulnerability Management Workflow

To adapt to the new NVD landscape, container security programs should take several immediate actions. First, audit your scanning pipeline to flag enrichment completeness for each CVE. Second, identify alternative enrichment sources such as Red Hat’s OVAL, Canonical’s CVE tracker, or commercial services like VulnDB. Third, update your prioritization algorithm to handle missing CVSS scores—consider using exploit availability (e.g., CISA KEV) or internal risk models. Fourth, review compliance requirements to ensure that the absence of NVD enrichment does not violate SLAs or regulatory mandates. Finally, engage with your container registry provider and scanner vendor to understand how they plan to address the NVD changes. Many vendors are already adapting their data sources, but you should verify alignment with your security posture. Proactive reassessment now will prevent gaps later.

In conclusion, NIST’s pivot to prioritized enrichment marks a new era for vulnerability management. Container security programs that once relied on the NVD as a comprehensive source must now diversify their data feeds and rethink their workflows. By understanding these six critical shifts, teams can stay ahead of the curve, maintain effective risk prioritization, and ensure compliance—even in a less-enriched world. The key is to act now, before the gaps in your scanning pipeline become security incidents.