NIST Database Change Rebalances Burden of Risk
The National Institute of Standards and Technology’s new triage model changes the federal role in software vulnerability analysis, but it also clarifies organizations’ role in risk ownership, writes Nichole Windholz, CISO at Onspring. A federal database may list the vulnerability, but the organization has to decide what it means for them.
Security, risk and compliance professionals have long relied on the National Vulnerability Database as a shared starting point for evaluating newly disclosed software vulnerabilities. Once a vulnerability receives a common vulnerabilities and exposures identifier, the National Institute of Standards and Technology (NIST) adds context like severity scores and affected product details, helping organizations judge how urgently to respond.
However, NIST’s process was never meant to be a substitute for internal judgment. Due to an overwhelming influx of reports, NIST has been forced to change which reports it prioritizes, leaving risk leaders with a challenging new reality. NIST’s recent changes to vulnerability database operations mean many vulnerability records may carry less federal context when organizations are deciding what to fix first.
In April, NIST announced that it will no longer enrich every common vulnerabilities and exposures record. The agency will focus detailed analysis on common vulnerabilities and exposures (CVE) that appear in CISA’s Known Exploited Vulnerabilities Catalog, affect software used within the federal government or apply to “critical software” as defined by Executive Order 14028. Other common vulnerabilities and exposures will still appear in the vulnerability database, but they will be treated as the lowest priority and won’t be scheduled for immediate enrichment. NIST also said it will no longer routinely provide its own severity score when a submitting organization has already provided one.
The reason? Scale. CVE submissions rose 263% between 2020 and 2025, and NIST enriched nearly 42,000 of them in 2025, 45% more than any prior year. Even that pace was not enough to keep up. NIST also said submissions during the first three months of 2026 were nearly one-third higher than the same period in 2025.
For security and risk leaders, the important change is not about the vulnerability database going away. It’s not going away. The more practical concern is that many CVE listings will now carry less federal context at a time when organizations are trying to decide whether a vulnerability warrants immediate remediation, closer monitoring or acceptance as a lower-priority risk.
That changes the burden of vulnerability prioritization.
Less vulnerability database enrichment, more interpretation
CVE with limited enrichment do not automatically equate to low risk for every organization. NIST’s new prioritization criteria are designed around broad, systemic risk, federal use and known exploitation. Those categories matter, but they don’t map cleanly to every private company’s exposure.
A vulnerability that’s not widespread enough to warrant immediate federal enrichment may still affect a business-critical application, an internet-facing asset, a sensitive data store or a third-party service embedded in an important workflow. A high-severity vulnerability on an isolated system may be less urgent than a lower-severity issue on an exposed application tied to customer data. The federal triage model may be reasonable for NIST’s workload, but it doesn’t account for every organization’s architecture, business dependencies, risk appetite or regulatory obligations.
NIST’s decision to stop routinely adding its own severity score when one already exists adds another layer to that shift. Severity scores can be useful, but they describe characteristics of a vulnerability, not the full business impact of leaving it unaddressed. More responsibility will fall to organizations to decide which signals matter most in their own environment.
That distinction will matter in board reporting, audit conversations and post-incident reviews. A risk leader may be asked why a vulnerability wasn’t prioritized when the vulnerability database record provided limited context or when a severity score suggested a different level of urgency. Organizations will need to explain how they interpreted the available information and why the decision made sense at the time.
Under this new reality, accurate asset context becomes even more important. Organizations need enough ownership and business context to understand which assets support regulated activity, customer commitments, financial reporting, operational continuity or sensitive data. This is where vulnerability management becomes a governance issue, not just a security issue. Risk decisions depend on information from IT, security, legal, compliance, procurement and business owners. If those groups don’t share a common understanding of asset importance, vulnerability prioritization becomes a race to process alerts rather than a disciplined risk exercise.
Multiple intelligence sources will carry more weight
NIST’s triage model also makes it riskier to treat any single source as definitive.
Security and risk leaders will and should continue to use the vulnerability database, but they will likely place greater weight on other sources as well, including CISA Known Exploited Vulnerabilities entries, vendor advisories, exploit databases, threat intelligence reporting, security researcher analysis and internal incident data. Each source answers a slightly different question.
CISA’s catalog is valuable, but a vulnerability doesn’t need to appear there to matter. Vendor advisories may provide remediation steps and affected product details before vulnerability database enrichment arrives. Researcher write-ups may explain exploitability in practical terms. Internal incident and asset data may reveal exposure that external sources can’t see.
The tradeoff is that more sources can also mean more disagreement. One source may rate a vulnerability as severe, another may lack enough detail and a third may suggest limited exploitation. Risk leaders will need to decide which signals carry the most weight for their organization and how conflicts are resolved.
Those decision-making standards matter most before a high-pressure vulnerability appears. Otherwise, organizations risk debating methodology while the remediation clock is already running.
Compliance expectations may shift toward rationale
For regulated organizations, vulnerability prioritization is often examined through the lens of policy adherence. “Was the vulnerability identified?” “Was it categorized?” “Was it remediated within the required timeframe?” “Were exceptions approved?”
NIST’s change may push more attention toward the rationale behind those steps. The practical question becomes, “Could an informed reviewer understand the decision six months later?”
That reviewer might be an auditor, regulator, customer, insurer, board member or internal legal counsel. The organization doesn’t need perfect foresight. It does need a record that shows the inputs considered, the business context applied, the owner accountable for the decision and the reason the chosen path was appropriate.
This is where many organizations will feel the NIST’s shift most sharply. The pressure is not only operational. It’s evidentiary.
The new burden is judgment
NIST’s move to triage is a rational response to an unsustainable volume of vulnerability submissions. The agency isn’t abandoning the vulnerability database. It’s narrowing, applying deeper analysis to focus on vulnerabilities with the greatest potential for widespread impact.
That still leaves organizations with a harder job.
The next phase of vulnerability prioritization will require more internal judgment, more business context and stronger documentation of why certain risks were addressed before others. Security leaders will need to resist the temptation to treat limited National Vulnerability Database enrichment as a signal that a vulnerability is unimportant. Compliance leaders will need to understand that patching decisions are becoming less about following a federal data trail and more about interpreting incomplete information in a defensible way.
As this shift plays out, the dividing line may be less about which organizations process the most common vulnerabilities and exposures and more about which ones can explain their risk decisions under scrutiny.