NIST's Cutback on Vulnerability Enrichment Sparks Concerns
Cybersecurity analysts warn of challenges in managing vulnerabilities after NIST reduces its support for detailed assessments.

Key points
- NIST reduced its CVE enrichment efforts in April 2023 due to backlog management.
- Volerion found 1,583 CVEs left unanalyzed between April 15 and June 15, 2023.
- Inaccurate vulnerability scores and delays are causing confusion for organizations.
- Discrepancies in CVSS scores can impact cloud service providers' risk assessments.
- Over 500 CNAs contribute varying vulnerability analyses, complicating consensus.
The National Institute of Standards and Technology (NIST) has cut back on its enrichment of vulnerabilities, creating new challenges for cybersecurity teams. As of April 2023, NIST has been prioritizing vulnerabilities that are actively exploited or relevant to federal government products, leaving many without detailed analysis.
Volerion, a cybersecurity startup, analyzed data from April 15 to June 15 and found that out of 13,441 vulnerabilities submitted to the National Vulnerability Database (NVD), only 6,759 received NIST's enrichment. This means 1,583 vulnerabilities were left without additional analysis, which is crucial for organizations that depend on these insights to manage risks.
The lack of enrichment isn't just about missing data; it's also about accuracy. According to Volerion's research, NIST's CVE assessments often differ from those made by other organizations, known as CVE Numbering Authorities (CNAs). These CNAs can sometimes provide conflicting or biased assessments due to varying levels of expertise and motives.
How did the reduction in NIST's efforts affect the CVE system?
With NIST reducing its efforts, many vulnerabilities remain unanalyzed or inaccurately assessed, complicating risk management for organizations. The median time for NIST to analyze vulnerabilities was around four days in May, but bottlenecks still exist. This leaves many companies waiting for analysis, unable to make timely decisions about which vulnerabilities to address first.
The reduction in NIST's efforts has especially impacted cloud service providers under the Federal Risk and Authorization Management Program (FedRAMP). These providers rely on NIST's Common Vulnerability Scoring System (CVSS) scores to assess risks, but discrepancies between NIST and other CNAs' evaluations can lead to confusion.
Volerion's analysis highlighted inaccuracies, such as the denial-of-service flaw CVE-2026-8856 in IBM HTTP Server, which had differing severity ratings from NIST, IBM, and Volerion. Such discrepancies underline the challenges organizations face in understanding and prioritizing vulnerabilities accurately.
While NIST intended to streamline its focus on high-priority vulnerabilities, Volerion's findings suggest that its automated selection system might be insufficient. Errors arise from data pulled from various sources, like the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, which has its own inaccuracies.
Dark Reading first reported these issues, emphasizing the growing concerns among cybersecurity experts. As vulnerability reports increase, highlighted by Microsoft's record-setting Patch Tuesday, the need for accurate and timely analyses becomes critical for organizations managing cybersecurity threats.



