NIST's NVD Cuts Spark Rise of Private CVE Enrichment

NIST's National Vulnerability Database (NVD) has historically been the primary source of enriched CVE data, attaching CVSS v3.1 vector strings, severity ratings, affected product CPEs, and links to vendor advisories. In a terse announcement on 14 March 2024, the agency said it would curtail enrichment activities because of budget constraints and a surge in CVE submissions that outpaced staff capacity. The move means that thousands of newly published CVEs will be listed with only minimal metadata, forcing security teams to seek additional context elsewhere.

The reduction hits vulnerability‑management workflows hardest. Teams that rely on automatic ingestion of CVSS scores, CWE classifications, and patch references into SIEMs such as Splunk or IBM QRadar will now have to manually map raw CVE IDs or purchase enrichment feeds. According to a March 2024 SANS survey, 68 % of respondents said the loss of NVD‑enriched data would increase the time to prioritize critical flaws by at least 30 %. The change also affects compliance reporting under NIST SP 800‑53 and the PCI‑DSS requirement to track known vulnerabilities with a CVSS base score.

A patchwork of commercial vendors and community groups is already moving to fill the void. Tenable, Rapid7, Eclypsium, and Cisco’s Kenna Security have each announced accelerated enrichment pipelines that add CVSS v3.1 vectors, EPSS‑style exploitability scores, and vendor‑specific remediation guidance within hours of a CVE’s release. Meanwhile, the CVE Foundation—launched in 2022 by MITRE and several CNAs—has published a draft “CVE‑Enrichment‑Schema” that standardizes how third‑party data can be attached to the official CVE record. The Open Cybersecurity Alliance and the Vulnerability Equity Coalition have likewise launched joint projects to curate a high‑confidence feed for critical‑infrastructure CVEs, with CISA’s new “CVE‑Intelligence‑Pilot” providing a pilot interface for federal agencies.

Security leaders are advising organizations to adopt a layered approach. First, continue to ingest raw CVE data from NIST’s data feeds but augment it with a commercial threat‑intel source that includes CVSS, exploitability, and threat‑actor activity. Second, leverage automation frameworks such as the OVAL and SCAP standards to map raw CVEs to system configurations. Third, consider participating in the CVE‑Enrichment‑Schema beta to help shape future standards. While NIST’s reduction signals a shift in the responsibility for data enrichment, the emerging coalitions demonstrate that the community can quickly mobilize to keep vulnerability intelligence actionable for cyber teams.