7 Critical Shifts in NVD Enrichment: What Container Security Teams Need to Adjust

The National Vulnerability Database (NVD) has long been the backbone of vulnerability management for container security programs. But on April 15, NIST made a significant change that alters how CVEs get enriched with scores, mappings, and classifications. Most CVEs will still be published, but fewer will receive the CVSS scores, CPE mappings, and CWE classifications that scanners and compliance workflows depend on. This formalizes a trend visible over the past two years: full-coverage enrichment is no longer guaranteed. For programs built around NVD as the authoritative secondary layer, this demands a structured reassessment. Below are seven critical changes and what they mean for container security.

1. Prioritized Enrichment Model Officially Begins

NIST announced a new prioritized enrichment model that categorizes CVEs based on importance. Only three groups receive full, timely enrichment: CVEs in CISA’s Known Exploited Vulnerabilities (KEV) catalog, those affecting software used by the federal government, and those impacting “critical software” as defined by Executive Order 14028. All other CVEs are moved to a “Not Scheduled” status. This shift means container security teams can no longer rely on NVD to enrich every vulnerability they encounter. Scanners that previously expected full CVSS scores and CPE mappings for every CVE will now see gaps. Workflows that automatically prioritize based on NVD data must be adapted to handle this partial coverage.

7 Critical Shifts in NVD Enrichment: What Container Security Teams Need to Adjust — Source: www.docker.com

2. Three Categories Get Full Enrichment

The three categories that continue to receive full enrichment are narrowly defined: KEV-listed CVEs get enrichment within one business day; CVEs affecting federal government software are prioritized; and CVEs tied to critical software per EO 14028 are also included. This covers only a fraction of all published CVEs. For container security, this means vulnerabilities in common open-source components like Node.js, Python packages, or container base images may fall outside these categories unless they appear in KEV or are used by federal agencies. Teams must now identify which of their dependencies qualify and adjust scanning priorities accordingly. Enrichment requests for other CVEs can be sent to nvd@nist.gov, but no SLA applies.

3. “Not Scheduled” Status Becomes the Default

Most CVEs that don’t meet the three criteria are assigned a “Not Scheduled” status. This is not a permanent rejection; NIST may enrich them later, but there is no timeline. Additionally, all unenriched CVEs published before March 1, 2026 have been retroactively moved into this category. That’s a massive backlog of historical vulnerabilities that previously had some level of enrichment. For container security programs that scan for known vulnerabilities in images, this means older CVEs may now lack the data needed for accurate prioritization. Automated tools that filter or score based on NVD enrichment will produce incomplete results unless supplemented with alternative sources like GitHub Security Advisories or OSV.dev.

4. NIST Stops Duplicating CVSS Scores from CNAs

Previously, NVD would often recalculate or duplicate CVSS scores provided by the CVE Numbering Authority (CNA). As part of the change, NIST no longer duplicates CVSS scores when the submitting CNA provides one. This reduces enrichment effort but shifts responsibility to CNAs for accurate scoring. For container security, this means the CVSS score you see in NVD may no longer be an independent assessment—it’s the CNAs score. Teams should verify scores from multiple sources, especially for high-impact vulnerabilities. The change also reduces the consistency of scoring across different CVEs, as CNAs may use different versions or interpretations of CVSS.

5. Volume Explosion Behind the Decision

NIST cited a 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running about a third higher than the same period in 2025. This surge comes from more CNAs, more open-source projects running their own disclosure processes, and more tooling that surfaces issues that previously wouldn’t have become CVEs. The sheer volume makes full enrichment unsustainable. For container security, this trend means the number of CVEs to assess will continue to rise, while normalized enrichment declines. Programs must invest in scalable vulnerability triage that reduces reliance on NVD for every CVE—for example, using severity scoring from the OSV database or leveraging runtime context to filter irrelevant CVEs.

Source: www.docker.com

6. Email-Based Enrichment Requests Without SLAs

Organizations can request enrichment for a specific CVE by emailing nvd@nist.gov. However, no service-level timeline applies, so response times are unpredictable. This is not a viable path for real-time vulnerability management in container scanning pipelines. It might be used for targeted enrichment of a critical CVE that affects your specific stack, but relying on it for batch processing or automated workflows is impractical. Container security teams should instead look to alternative enrichment sources that offer faster responses or broader coverage, such as the NVD API’s existing data (though now incomplete) or commercial feeds that supplement with their own scoring.

7. Reassess Dependencies on NVD for Compliance and Prioritization

Many compliance frameworks and container security tools have built SLAs, scoring thresholds, and notification workflows around the assumption that NVD provides full enrichment. This assumption is no longer valid. Programs should conduct a structured review: identify which CVEs in your environment rely on NVD enrichment for prioritization, test whether your scanner can handle “Not Scheduled” CVEs gracefully, and define fallback scoring mechanisms. Consider integrating multiple vulnerability databases (e.g., OSV, NVD, GHSA) and merging enrichment data to maintain coverage. This shift will require both process changes and potential tooling updates to ensure your container security posture remains robust despite NIST’s reduced role.

In summary, NIST’s move to a prioritized model is a rational response to exploding CVE volumes, but it upends the ecosystem that container security teams depend on. The days of expecting NVD to fully enrich every CVE are over. By understanding these seven changes, reassessing your workflows, and adopting supplementary enrichment sources, you can adapt your vulnerability management program to this new reality. The key is to stop treating NVD as the single source of truth and start building a more resilient, multi-source approach to container security.

Tags: