The US federal government is rethinking how to support its globally adopted vulnerability tracking ecosystem after years of backlogs, funding scares, and growing doubts about whether the existing model can scale as vulnerability disclosures continue to accelerate. At the center of that ecosystem, there are two distinct but interdependent components. The Common Vulnerabilities and Exposures program, operated by Mitre, assigns standardized identifiers to software flaws. The National Vulnerability Database, maintained by the National Institute of Standards and Technology, enriches those records with severity scores, exploitability data, and other metadata critical for defenders. Though closely linked in practice, CVE and NVD serve different functions and face different operational pressures.[1]
The most immediate challenges lie in NIST's role in enriching CVEs in the NVD. Jon Boyens, acting chief of NIST's Computer Security Division, said during a January public advisory board meeting, the agency is reassessing how much responsibility it should carry for analyzing and enriching thousands of backlogged vulnerabilities. The number of newly disclosed CVEs continues to grow each year, outpacing the government's ability to provide timely enrichment.
The strain on NVD has been building for years. In 2024, industry experts warned that delays in enrichment were reaching a breaking point as disclosure volume surged and analyst capacity remained limited. More than 70% of CVEs published since early 2024 remain unenriched, said Mayuresh Dani, security research manager at Qualys. The delays create blind spots for defenders who depend on NVD data for exposure tracking, compliance reporting and risk measurement.
NIST has signaled plans to pivot toward a more risk-based approach, prioritizing CVEs listed in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog that affect software used by federal agencies or that meet criticality thresholds defined by the agency. Analysts said the transition reflects operational reality inside the NVD but could also change how defenders interpret vulnerability data across the ecosystem.
Security experts told Information Security Media Group that focusing enrichment on actively exploited or mission-critical vulnerabilities may improve timeliness where it matters most, but could reduce visibility into long-tail vulnerabilities that still pose risk in certain environments. Many enterprise security programs depend on NVD enrichment to support prioritization, compliance reporting, and automated risk scoring pipelines. "Delays between disclosure, CVE assignment, enrichment, and scoring create blind spots," said Tim Amerson, federal field CISO at GuidePoint Security. "Adversaries don't wait for perfect metadata; they move as soon as exploit paths are known." Making NVD's contextual enrichment is particularly valuable amid widespread skepticism about the accuracy of the CVSS scoring system and the resulting priority brackets for vulnerabilities. Without consistent enrichment across all vulnerabilities, defenders may struggle to compare exposures across systems or understand how seemingly lower-severity flaws interact in complex environments, experts said.
NVD faces operational strain, but the CVE program itself, which operates under a federal contract, has experienced separate stability concerns. A near-lapse in federal funding in April 2025 exposed how dependent global cybersecurity tooling has become on the CVE identifier system.
"The market should internalize that CVE is 'critical infrastructure,' but it's still funded and operated like a renewable services contract," said Ensar Seker, CISO and vice president of research at threat intelligence firm SOCRadar. Even a brief disruption, Seker said, could ripple across vulnerability scanners, SIEM platforms, insurers, software vendors, and asset-management tools that rely on CVE identifiers.
Federal officials ultimately maintained funding continuity for the CVE program, but analysts said the episode intensified discussions about governance and long-term sustainability. In the wake of the funding scare, CVE board members announced the formation of a nonprofit, the CVE Foundation, intended to reduce reliance on a single government sponsor.
CISA has also acknowledged the need to explore diversified funding mechanisms and public-private partnerships to sustain the CVE program over time. Experts said that while immediate funding risks have stabilized, long-term governance questions remain unresolved.
NIST is also developing a strategy and implementation plan to clarify its future role in vulnerability enrichment. Officials said they intend to hire a program manager to lead that work and publish guidance for CVE Numbering Authorities on performing enrichment functions outside government.
Kevin Greene, chief cybersecurity technologist for the public sector at BeyondTrust and a former program manager in the science and technology directorate at the Department of Homeland Security, said the current model has shown signs of strain for years.
"The funding problem is nearly a decade old," Greene said. "We need industry partners to provide financial support and in-kind contributions to ensure the CVE ecosystem continues to deliver actionable vulnerability intelligence."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.databreachtoday.com/feds-signal-shift-in-vulnerability-oversight-a-30653
Comments