Your team likely relies on the NVD scores to decide what to patch, with automation pulling CVSS data to prioritize remediation. Now, NIST is shifting its focus, having enriched nearly 42,000 CVEs in 2025 (a 45% increase from previous years) and still facing a backlog of over 30,000 CVEs. Here's what security engineers are asking and what your team needs to know.
Is NIST abandoning CVEs?
Not exactly. NIST is prioritizing. Submissions grew by 263% from 2020 to 2025, and Q1 2026 saw nearly one-third more vulnerabilities reported than the previous year. NIST is focusing on vulnerabilities in CISA's Known Exploited Vulnerabilities (KEV) catalog.
For your team, this means NIST will no longer calculate severity scores for CVEs with scores already provided by the reporting organization. If a vendor or researcher submits a CVE with a CVSS score, NIST accepts it without independent analysis. This change affects processes built around waiting for the NVD score, especially for vulnerabilities not actively exploited.
Who is scoring these CVEs now?
The original reporting organization, which could be the vendor, a researcher, or an automated scanner. The quality of these scores varies significantly. Vendors might downplay severity, researchers might inflate it, and AI tools may not align with real-world impact.
Your action: Stop treating CVSS scores as definitive. Use stronger internal criteria:
- Is the vulnerable component running in your environment?
- Is it exposed to untrusted networks?
- What data can it access?
- Does your architecture limit the impact if exploited?
If you're subject to PCI DSS v4.0.1 Requirement 6.3.1 or NIST 800-53 Rev 5 control SI-2, you already need a defined process for this. Trust it more than the CVE database.
How do I know which CVEs matter to us?
Start with CISA's KEV catalog, which focuses on vulnerabilities with confirmed exploitation. If it's in KEV and you use that software, patch it.
Beyond that, improve your asset inventory. Many teams struggle to quickly determine if they use a particular library. Check package manifests, container images, and legacy apps.
Build these capabilities:
- Software Bill of Materials (SBOM) for every application
- Dependency scanning in CI/CD that maps CVEs to your codebase
- Runtime inventory showing what's executing
Teams that excel treat this as detective work, not just compliance. When CVE-2026-XXXXX is released, they can quickly assess their exposure.
Is AI causing or solving this problem?
Both. AI-assisted research is finding more vulnerabilities faster, contributing to the 263% increase in submissions. NIST plans to use AI for enrichment and backlog management.
For your team, AI-powered scanners are improving but also generating more findings. Develop filtering logic tailored to your environment.
Consider this scenario: an AI scanner flags a deserialization vulnerability in a library you use. The CVE score is 8.1, but your filtering logic considers the library's context, reducing its risk in your environment. Document this logic for auditors, aligning with ISO 27001 control 8.8 and SOC 2 Type II CC7.1.
Should we stop using NVD data?
No. NVD data is still valuable, especially for historical context and enriched CVEs. Use it alongside:
- CISA KEV for confirmed exploitation
- Vendor advisories for patches and workarounds
- Exploit databases for weaponization status
- Your threat intelligence for industry-specific targeting
Cross-reference these sources. A CVE with a moderate CVSS score might appear in ransomware playbooks targeting your sector, signaling higher priority.
What should I tell my manager about our vulnerability SLAs?
Your SLAs likely require patching critical vulnerabilities within 30 days based on NVD ratings. These SLAs may need adjustment.
Renegotiate around risk, not just scores:
- KEV-listed vulnerabilities: 7 days
- Internet-facing systems: 14 days
- Segmented internal systems: 30 days
- Unused components: documented risk acceptance
This aligns with NIST CSF v2.0 function "Respond" (RS) and provides flexibility when NIST enrichment is delayed. Document your criteria for auditors.
What should we do right now?
Three steps:
- Subscribe to CISA's KEV catalog updates for early warnings on prioritized vulnerabilities.
- Audit your vulnerability management tools. Ensure they can trigger alerts from sources beyond NVD, like CISA KEV and vendor advisories.
- Conduct a tabletop exercise: simulate a critical CVE release without NVD enrichment data. Determine your decision process, patching strategy, and risk communication plan.
Teams that adapt treat vulnerability management as risk management, not just a checklist.
Where to go from here
Update your vulnerability management documentation. The landscape has changed, and your runbooks should reflect that.
