On April 15, the National Institute of Standards and Technology (NIST) announced a major shift in how it handles the National Vulnerability Database (NVD). Instead of enriching every CVE with CVSS scores, CPE mappings, and CWE classifications, NIST will now prioritize a smaller subset. This change formalizes a trend that has been building for two years, and it directly impacts container security programs that rely on NVD as the authoritative secondary layer for vulnerability data. If your scanning, prioritization, or SLA workflows assume full NVD enrichment, it's time for a structured review. Below are seven key things you need to know about this transformation and how it affects your container security posture.

1. The Formalized Drift from Full Enrichment

The April 15 announcement didn't introduce a sudden shift—it codified a gradual drift that security teams had already observed. Over the past two years, fewer CVEs received full enrichment, but many assumed it was a temporary backlog. Now NIST has stated plainly that it does not intend to return to full-coverage enrichment. For container security programs that built their vulnerability management pipeline around the expectation that every CVE would get a CVSS score and CPE mapping, this means rethinking the foundation of their prioritization. The change isn't a glitch; it's the new normal.

2. Three Categories Still Receive Full Enrichment

NIST will continue to fully enrich three specific categories of CVEs. First, any CVE in CISA’s Known Exploited Vulnerabilities (KEV) catalog gets enrichment within one business day. Second, CVEs affecting software used within the federal government are prioritized. Third, CVEs affecting “critical software” as defined by Executive Order 14028 receive full treatment. For container security programs, this means that if your containers run software that falls into these categories—such as widely used open-source components in government systems—you’ll still get the detailed data you need. But for the vast majority of CVEs, especially those from less prominent open-source projects, enrichment will be sparse.

3. Everything Else Moves to “Not Scheduled” Status

All CVEs that don't fall into the three priority categories are now placed into a new “Not Scheduled” status. This includes all unenriched CVEs published before March 1, 2026—a massive backlog that NIST has effectively deprioritized. For container security teams, this means that many vulnerabilities you scan for will lack official CVSS scores, CPE mappings, and CWE classifications from NIST. Your scanner might still detect them, but you’ll need to rely on alternative sources or internal analysis to assign severity and prioritize remediation. The “Not Scheduled” status is not a temporary holding pen; it’s likely permanent for most CVEs.

4. You Can Request Enrichment, but Don’t Expect a Timeline

NIST has provided a process for organizations to request enrichment of specific CVEs by emailing nvd@nist.gov. However, there is no service-level agreement (SLA) or guaranteed timeline for processing these requests. For container security programs that require timely enrichment to meet compliance or SLA obligations, this is a critical gap. If your program depends on NVD data to satisfy regulatory requirements (e.g., FedRAMP, PCI DSS), you may need to explore alternative enrichment sources or build your own prioritization framework. Relying on email requests with uncertain turnaround is not a scalable solution for the volume of CVEs a typical container environment encounters.

5. NIST Will No Longer Duplicate CVSS Scores from CNAs

Previously, NIST would often re‑issue CVSS scores even when the submitting CNA (CVE Numbering Authority) had already provided one. Now NIST will stop this duplication, meaning you’ll see only the CNA‑supplied score in many cases. This is significant because the quality and consistency of CNA‑provided scores can vary widely. For container security, where base images and dependencies from different ecosystems (e.g., npm, PyPI, Docker Hub) have different CNAs, you may encounter inconsistent severity ratings. Your vulnerability management tooling will need to handle these discrepancies and possibly normalize scores from multiple sources.

6. The Volume Crisis Driving This Change

NIST cites a staggering 263% increase in CVE submissions between 2020 and 2025, with the first quarter of 2026 running roughly a third higher than the same period a year earlier. This explosion is fueled by more CVE Numbering Authorities, more open‑source projects running their own disclosure processes, and better tooling that surfaces vulnerabilities that would have gone undetected a few years ago. For container security programs, this means the number of CVEs affecting your software supply chain will continue to grow, while NIST’s capacity to enrich them shrinks proportionally. You cannot rely on NVD alone to keep up with the volume.

7. What This Means for Container Security Programs

The combined effect of these changes is a fundamental shift for container security. Your scanning tools likely used NVD enrichment as the backbone for CVSS scores, CPE mappings, and CWE classifications—data points that feed into prioritization, policy enforcement, and compliance reporting. Without full enrichment, you will need to reassess your dependency on NVD. Consider integrating alternative vulnerability databases (e.g., OSV, GitHub Advisory Database), using vendor‑provided data where available, or implementing risk‑based prioritization that doesn't rely solely on CVSS. Also, audit your SLAs: if they are tied to NVD enrichment, they may become unachievable. The NVD is no longer the safety net it once was; it's time to build redundancy into your vulnerability management pipeline.

Conclusion: The NVD enrichment model has changed permanently, and container security programs must adapt. The days of assuming every CVE will have NIST‑provided CVSS, CPE, and CWE data are over. By understanding which CVEs still get enriched, how to request enrichment when needed, and where to find alternative data sources, you can maintain effective vulnerability management. This isn't a temporary hiccup—it's a structural shift. Use the seven points above as a starting point to review your scanning, prioritization, and compliance workflows. The sooner you adapt, the less risk you'll face from blind spots in your container security.