How to Adapt Your Container Security Program to NIST's New NVD Enrichment Model

Introduction

On April 15, NIST officially changed how the National Vulnerability Database (NVD) enriches Common Vulnerabilities and Exposures (CVEs). Instead of scoring and mapping nearly every CVE, NIST now prioritizes only a subset. Most CVEs are still published, but they no longer automatically receive CVSS scores, CPE mappings, or CWE classifications—information that container scanners and compliance programs have long depended on. This isn't a temporary shift; NIST has stated it does not plan to return to full-coverage enrichment. For teams that built scanning, prioritization, and SLA workflows around the NVD as a secondary layer on top of CVE, it's time for a structured reassessment. This guide walks you through evaluating and updating your container security program to remain effective under the new model.

What You Need

• Current vulnerability management process documentation – including how you fetch, enrich, and prioritize CVEs.
• List of container scanners and tools that rely on NVD enrichment (e.g., Trivy, Grype, Snyk, or custom scripts).
• Access to CISA Known Exploited Vulnerabilities catalog and Executive Order 14028 definitions.
• Email address for NIST enrichment requests: nvd@nist.gov (optional, for special cases).
• Internal SLA and compliance requirements – e.g., patch timelines, audit obligations.
• Knowledge of CPE, CVSS, and CWE basics to assess gaps.

Step-by-Step Guide

Step 1: Understand What Changed

NIST now applies full enrichment only to three categories of CVEs:

1. CVEs listed in CISA's Known Exploited Vulnerabilities catalog – enriched within one business day.
2. CVEs affecting software used by the U.S. federal government.
3. CVEs affecting “critical software” as defined in Executive Order 14028.

All other CVEs are moved to a “Not Scheduled” status. Organizations can request enrichment by emailing nvd@nist.gov, but no service-level timeline applies. Additionally, NIST no longer duplicates CVSS scores when the submitting CNA provides one, and all unenriched CVEs published before March 1, 2026 have been backdated to “Not Scheduled.”

Step 2: Audit Your Current NVD Dependencies

Review every tool and process in your container security pipeline that consumes NVD data. Ask:

• Which steps require CVSS scores, CPE mappings, or CWE classifications from NVD?
• Are you relying on automated enrichment that will now return incomplete data?
• Do you use NVD as the sole authoritative source for vulnerability severity?

Document each dependency and note whether it can be adjusted or replaced.

Step 3: Identify Which CVEs Matter Most to Your Containers

Map your container images and running workloads to the three priority categories. Even if your software isn't federal government or EO 14028 critical, you should monitor the CISA KEV catalog – those CVEs are enriched quickly. Also consider your own risk profile: which CVEs would cause the most harm if exploited? Prioritize enrichment for those.

Step 4: Adjust Your Enrichment Sources

Since NVD enrichment is no longer guaranteed, diversify where you get vulnerability data. Options include:

• Using scanner-native databases – many container scanners maintain their own vulnerability databases (e.g., Trivy uses GitHub Advisory Database, Grype uses a curated feed).
• Subscribing to other CVSS providers – consider third-party services that independently score CVEs.
• Implementing local CVE processing – if your team has security expertise, you can manually assess critical vulnerabilities.
• Leveraging CISA KEV and vendor advisories – these are free and often faster than NVD.

Step 5: Revise Prioritization and SLA Workflows

Without guaranteed NVD CVSS scores, your prioritization logic must change. Consider:

• Using exploitability indicators (e.g., has the CVE appeared in the wild? Is it in CISA KEV?)
• Assigning in-house severity ratings based on your environment and asset criticality.
• Setting tiered SLAs per CVE category – e.g., critical infrastructure CVEs get 24-hour patch target; low-risk CVEs get 90 days.

Step 6: Communicate Changes to Stakeholders

Inform development, operations, and compliance teams about the shift. Explain that “No CVSS score” no longer means “low priority.” Update runbooks and dashboards to reflect new enrichment sources. Provide training if needed, especially for personnel who interpret vulnerability reports.

Step 7: Establish a Process for Requesting Enrichment

If you encounter a CVE that is critical to your containers but not in the priority categories, you can email nvd@nist.gov. Document this process: who submits, what information is needed (CVE ID, reason for request, impact), and set expectations that there is no guaranteed turnaround time. For high-urgency vulnerabilities, use other enrichment avenues first.

Step 8: Monitor and Iterate

The NVD landscape continues to evolve. Check NIST announcements, review your tools quarterly, and adjust your process as NIST expands or refines its enrichment model. Also track the volume of CVEs – NIST reported a 263% increase between 2020 and 2025, with Q1 2026 running a third higher year-over-year. More CVEs mean more chances for gaps.

Tips for Success

• Don't panic – Many scanners already rely on multiple data sources; check if your tool already handles missing NVD enrichment gracefully.
• Focus on exploitability – A CVE with no CVSS score but active exploits is far more urgent than a scored CVE with no exploit.
• Automate where possible – Use scripts to cross-reference CVE IDs with CISA KEV, vendor advisories, and your own asset inventory.
• Collaborate with peers – Share enrichment gaps and solutions within your industry or through open-source communities.
• Document your decisions – For compliance audits, show that you have a deliberate process for handling unenriched CVEs.
• Keep an eye on NIST's requests – If you submit enrichment requests, track responses to see if patterns emerge (e.g., certain categories are consistently ignored).