The United States is underinvesting in a piece of cyber infrastructure that its entire cyberdefense ecosystem depends on. The National Vulnerability Database (NVD), a repository of publicly-disclosed software and hardware vulnerabilities maintained by the National Institute of Standards and Technology (NIST), is one of the quieter pillars of U.S. cybersecurity—not the kind of infrastructure that makes headlines, but one that thousands of organizations rely on to speak a common language about software flaws and to decide what to fix first. It is a public good. And it is under serious strain.
NIST’s recent decision to change how it handles the identifiers at the heart of the NVD deserves policy attention. Those identifiers, called Common Vulnerabilities and Exposures (CVEs), are maintained by MITRE, which assigns a unique number and brief description to every reported vulnerability. NIST’s job is to enrich these CVEs, i.e. to add a level of expert analysis that tells security teams how severe a flaw is, what systems are affected, and how urgently it needs to be fixed.
Moving forward, NIST will no longer aim to enrich every CVE. Instead, NIST will prioritize enriching a narrower set of vulnerabilities: (1) those in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, which contains security flaws under active attack, (2) those affecting software used by the federal government, and (3) those involving “critical software” as defined under Executive Order 14028, which sets baseline cybersecurity requirements for federal software suppliers. All other CVEs will still appear in the NVD, but many will be labeled as “Not Scheduled” and will not be enriched unless specifically requested.
This is a significant change. It is also a public acknowledgement that one of the government’s most relied-upon cybersecurity functions is under-resourced and overloaded. CVE submissions increased 263 percent between 2020 and 2025, and submissions in early 2026 are running nearly a third higher than the same period last year. NIST enriched more vulnerabilities in 2025 than any prior year, yet still fell further behind. For context, the NVD program only has 21 analysts; the volume of submissions, however, has no ceiling.
Consequently, NIST is shifting from universal enrichment to risk-based triage—a decision driven by necessity, not design.
The cybersecurity community saw this coming. NIST signalled this direction earlier in the year, and the NVD’s struggles have been visible since early 2024, when a funding disruption left three-quarters of submitted CVEs unprocessed at its peak. Practitioners are not shocked, but they are alarmed, and that should concern policymakers.
The NVD Under Stress
The alarm is compounded by two factors beyond NIST’s control.
First, the CVE program is run by MITRE, a federally-funded nonprofit research organization, and largely funded by the Department of Homeland Security; it nearly collapsed last year when its federal funding contract was about to expire. CISA intervened last-minute with an 11-month emergency extension. Scarred, the cybersecurity community rallied to establish an independent, nonprofit CVE Foundation, but the Foundation has not yet assumed operational responsibility for the program. The institutional fragility persists, and long-term governance of the program remains unresolved. In other words, the NVD’s problems sit atop a foundation that is under stress.
Second, the volume problem is expected to worsen. Industry forecasters are projecting that 50,000 new CVEs will be recorded in 2026 even before accounting for the arrival of new AI models capable of autonomously discovering and exploiting vulnerabilities at scale. Some analysts now expect the figure could reach more than 70,000 by year’s end. The European Union, recognizing the risk of depending on a single U.S.-run database, last year launched its own European Vulnerability Database. However, it is not yet a true alternative to the NVD because it lacks the same level of standardized enrichment and global adoption that make the NVD the operational backbone of vulnerability management. That a major allied bloc felt compelled to build some redundancy into a system created by the United States is more than a technical development—it is a signal about eroding confidence in U.S.-led vulnerability coordination.
Policymakers should be careful not to mistake a scarcity-driven adaptation for an optimal long-term model. Focusing only on a narrow subset of vulnerabilities, such as those in CISA’s KEV catalog, may sound efficient, but it is analogous to a community pool calling in a lifeguard only after someone has already drowned. The point of enriching vulnerabilities as they are disclosed is to put the lifeguard on duty while swimmers are still in the water.
What’s At Stake
The stakes are only rising: AI is compressing the time between vulnerability discovery and active exploit, turning delays in public vulnerability context into operational advantages for adversaries. A hospital’s IT team or a rural municipality’s network administrator cannot wait weeks for enrichment that may never come, and many cannot afford the commercial threat intelligence subscriptions that large enterprises use to fill the gap. A budget shortfall leading to a growing backlog of unprocessed vulnerabilities does not mean selective enrichment is the right equilibrium for U.S. cyber policy. If the NVD is in fact a public good—and it is—then the more important policy question is whether the federal government is willing to resource it like one.
The strongest case for doing so is practical.
First, universal enrichment reduces inequality in cybersecurity capacity. Large technology companies, major financial institutions, and well-resourced critical infrastructure operators can supplement incomplete public data with internal expertise or paid intelligence services. Smaller businesses, local governments, schools, hospitals, nonprofits, researchers, and under-resourced public entities often cannot. When the public baseline gets thinner, those organizations do not simply become less efficient. They become less capable. A universal NVD model helps narrow that gap by ensuring that high-quality vulnerability context is broadly available, not just available for purchase.
Second, a narrower enrichment model risks normalizing a two-tier vulnerability system and fragmenting the shared reference point the ecosystem depends on. The NVD does more than inform individual defenders. Vendors, insurers, IT managers, academic researchers and government agencies all rely on it to interpret risk in a consistent way. Under the new model, some CVEs will receive structured federal analysis while others sit in the database unenriched. NIST’s new status labels bring welcome transparency to this triage. But a queue that is easier to understand is still one driven by scarcity. And when more actors are forced to fill gaps with fragmented or proprietary judgments, the digital ecosystem as a whole pays the price.
Private-sector vendors already provide high-quality vulnerability intelligence, but they do not function as a universal reference layer. Their coverage is uneven by design, shaped by customer demand, product priorities, and pricing tiers, which creates fragmentation in how risk is interpreted across organizations.
Some argue that large language models (LLMs) can now help organizations prioritize vulnerabilities, reducing dependence on centralized enrichment. That view is not entirely wrong, but it mainly applies to well-resourced organizations. For the rural hospital, the water utility, and the rural school district, a dedicated LLM-powered security operations center monitoring networks 24/7 for threats is not yet a realistic alternative. Public enrichment exists precisely for the gaps that market solutions do not fill.
Third, the shift has consequences for public trust. For years, many users treated inclusion in the NVD as shorthand for a robust public layer of review. But going forward, presence in the NVD will not necessarily carry the same meaning. That is not a criticism of NIST. It is a consequence of overload. But policymakers should stop assuming that the public vulnerability infrastructure can continue to absorb record disclosure volume without materially changing the service it provides.
None of this means the NVD is losing relevance. Quite the opposite. NIST has made clear that it views the database as a critical component of U.S. cybersecurity infrastructure and is updating the dashboard and process documentation to provide more real-time visibility into CVE status and program operations. The problem is not that the NVD matters less; it is that it matters so much that strain in the system creates ecosystem-wide consequences.
What Congress Should Do Now
Congress should treat NIST’s vulnerability enrichment function as critical infrastructure and fund it accordingly through dedicated appropriations scaled to CVE volume growth. This likely implies funding increases on the order of tens of millions of dollars annually—a fraction of what the federal government already spends on threat detection systems that depend on NVD data, along with a several-fold expansion of analyst capacity to restore universal enrichment as a baseline function. Absent that shift, the United States risks normalizing a degraded public baseline for vulnerability intelligence at the very moment it is becoming most strategically important.
Automation and workflow improvements are part of the answer, but they are not substitutes for investment: no process improvement can absorb a 263 percent increase in volume without a corresponding increase in resources. Dozens of cybersecurity experts wrote to Congress and the Secretary of Commerce when the 2024 backlog crisis first emerged, calling the NVD “critical infrastructure for a large variety of cybersecurity products.” That letter did not result in a funding fix. The marginal cost of fully resourcing NIST’s enrichment function is low relative to the ecosystem-wide value it provides. Even if a portion of CVEs are ultimately low severity, the cost asymmetry of missing the wrong one ensures that incomplete enrichment is not a neutral tradeoff.
NIST’s risk-based triage is a mistake driven by scarcity, and should not become the accepted end state. The United States is underinvesting in a piece of public cyber infrastructure that many depend on to stay secure, and the downstream risks will increase over time until the decision is reversed and the function is fully funded.
