Adapting Container Security to NIST's Revised NVD Enrichment Model

In mid-April, NIST introduced a major shift in how it manages the National Vulnerability Database (NVD). Instead of enriching every CVE with scores, classifications, and mappings, the agency now focuses on a smaller subset of vulnerabilities. This change—prompted by a surge in CVE submissions—means container security programs can no longer assume the NVD will provide full context for every vulnerability. Below, we break down what happened, why it matters, and how teams can respond.

What specific changes did NIST announce for the National Vulnerability Database?

On April 15, NIST unveiled a prioritized enrichment model for the NVD. Under this new approach, most CVEs will still be published, but only a fraction will receive the full suite of enrichments—including CVSS scores, CPE mappings, and CWE classifications. These enrichments had long been the backbone of container scanning tools and compliance frameworks. Three categories of vulnerabilities will continue to get full, timely enrichment: those in CISA’s Known Exploited Vulnerabilities catalog, those affecting software used by the federal government, and those tied to “critical software” as defined by Executive Order 14028. All other CVEs are now marked as “Not Scheduled.” NIST will also stop duplicating CVSS scores when the submitting CNA already provides one. Organizations can request enrichment by email, but no service-level timeline applies. This marks a clear departure from the previous expectation of near-complete coverage.

Adapting Container Security to NIST's Revised NVD Enrichment Model — Source: www.docker.com

Which vulnerabilities still receive full enrichment from NIST?

NIST now prioritizes three groups for complete enrichment. First, any CVE listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog gets full treatment within one business day. Second, vulnerabilities affecting software used within the federal government are enriched promptly. Third, any CVE linked to “critical software” as defined by Executive Order 14028 qualifies for full enrichment. These categories cover a narrow slice of all published CVEs. For example, the KEV catalog includes only a few hundred actively exploited vulnerabilities, while the total CVE count has skyrocketed. The clear implication: most container-related CVEs—especially those in open-source libraries or commercial software not used by the government—will fall into the “Not Scheduled” bucket. Teams must plan for gaps in CVSS scores, CPE mappings, and CWE classifications that they once took for granted.

How does this shift affect container security programs that rely on NVD data?

Container security programs have long depended on NVD enrichments to prioritize vulnerabilities and set SLAs. Scanners use CVSS scores to gauge severity, CPE mappings to match software, and CWE classifications to understand exploit types. With most CVEs no longer receiving these enrichments, scanning tools may display incomplete data. Prioritization becomes harder because a vulnerability without a score is harder to compare. Compliance programs that require CVSS scores for reporting may need alternative sources. Additionally, the “Not Scheduled” status means teams can no longer assume a wait time—many CVEs may never be enriched. This forces container security teams to reassess their workflows: they may need to integrate other vulnerability databases, use machine learning for prioritization, or rely more on vendor-provided scores from CNAs. The change also impacts vulnerability management platforms that aggregate NVD data, as they will now receive fewer enriched entries.

Why did NIST decide to narrow its enrichment scope?

NIST cited a dramatic increase in CVE submissions as the primary reason. Between 2020 and 2025, the number of published CVEs grew by 263%. In Q1 2026 alone, submissions ran roughly a third higher than the same period the year before. This surge stems from more CNA programs, more open-source projects running their own disclosure processes, and more automated tooling surfacing issues that previously would not have reached CVE status. NIST’s resources could not keep pace with full enrichment for every entry. The agency also noted that many CVEs already include CVSS scores from the originating CNA, making duplication unnecessary. By narrowing focus to the most critical vulnerabilities—those actively exploited, used by the government, or tied to critical software—NIST aims to allocate its limited resources where they have the most impact. This move formalizes a trend visible in NVD feeds for two years, but it now sets a clear expectation that full-coverage enrichment is no longer the goal.

What options do organizations have for vulnerabilities now marked as “Not Scheduled”?

For CVEs in the “Not Scheduled” category, organizations have several paths. First, they can email NIST at nvd@nist.gov to request enrichment, but there is no guaranteed timeline—and NIST may deprioritize requests if volumes are high. Second, teams can rely on the CNA-provided CVSS score if one exists; NIST no longer duplicates this, so the original score should be used. Third, security teams can turn to alternative vulnerability databases and scoring systems. For example, the FIRST CVSS SIG provides guidance, and platforms like VulnCheck or Aqua Security offer enrichment services. Some organizations are also building internal prioritization models that use exploitability data, threat intelligence, and context from their own environments rather than waiting for NVD. Finally, container security programs should update their SLAs and compliance baselines to account for missing scores and mappings. The key is to stop assuming NVD will fill all gaps and instead adopt a multi-source strategy.

Source: www.docker.com

How has the volume of CVEs changed, and what does that mean for container security?

The numbers are striking: a 263% increase in CVE submissions from 2020 to 2025, with Q1 2026 already a third higher than Q1 2025. This growth reflects a maturing vulnerability ecosystem. More CNAs, more open-source projects running their own CVE processes, and more security tooling that detects and reports issues are all contributing. For container security, this means the sheer quantity of vulnerabilities to triage is growing exponentially. Without NVD enrichment, teams must sort through a larger pile of unrated CVEs. Container images often bundle hundreds of packages, so even a moderate library can generate dozens of new CVEs per quarter. The change forces teams to prioritize differently: instead of relying on CVSS base scores, they may need to weigh factors like package popularity, known exploits, and business impact. Additionally, the increase in CVEs without enrichments may push security teams to adopt automated prioritization engines that combine multiple data sources.

What should container security teams do to adapt their scanning and prioritization workflows?

First, teams should audit their current vulnerability management pipeline to see how heavily it depends on NVD enrichments. Identify where CVSS scores, CPE mappings, and CWE classifications are used. Next, integrate alternative enrichment sources: vendor advisories, open-source vulnerability databases, and commercial feeds. For container scanning, consider tools that can compute their own risk scores based on threat intelligence and runtime context. Update SLA definitions to handle “Not Scheduled” CVEs without hard deadlines for enrichment. Strengthen internal prioritization by combining exploitability data from sources like the KEV catalog, reachability analysis (whether a vulnerable function is actually used in the container), and business impact. Finally, train teams to not wait for NVD—if a CVE has a CNA-provided score, use it; if not, escalate based on other signals. The adaptation is about moving from a passive, NVD-reliant model to an active, multi-source vulnerability management strategy.

Tags: