The federal agency that for years has tracked, analyzed, and cataloged software vulnerabilities and made the information widely available is being overwhelmed by the massive numbers of security flaws being submitted and is now narrowing the scope of what it will do.

The National Institute of Standards and Technology (NIST) said this week that it will only add details to common vulnerabilities and exposures (CVEs) that meet particular criteria, including those that are listed by CISA in its catalog of vulnerabilities that are being exploited, are found in software used by federal agencies, or are defined in Executive Order 14028 issued by then-President Biden in 2021.

CVEs that don’t meet any of those categories will still be listed by NIST in the National Vulnerability Database (NVD), but the agency won’t add any more information about them. Until this week, NIST researchers would give each submitted CVE a severity score and other information to every submitted CVE, but the exponential growth in the number of submissions in recent years has made that work impossible, they said.

That number grew 263% between 2020 and last year, and NIST officials said they expect the numbers to grow in the future. The number of submissions during the first quarter this year was almost a third higher than the same three months in 2025. The agency noted that last year, agency researchers enriched almost 42,000 CVEs, a 45% year-over-year increase.

Years in the Making

The strain on the agency began to show in 2024 in the wake of budget and staff cuts, and spilled over into 2025 when NIST made changes to how they were handling the growing backlog of submissions.

The agency’s struggles rattled the security teams both with public agencies at all levels and at private companies, all of which had relied on NIST’s data to more quickly find and fix vulnerabilities. Dozens of security experts and organizations sent a letter to Congress in April 2024 asking to put more resources back into NIST and the NVD.

“This shutdown has disrupted essential resilience efforts across the public and private sectors,” they wrote. “This situation must be corrected with a sense of urgency appropriate to the broader strategic imperative of securing our systems infrastructure.”

Companies Will Need to Step Up

This shouldn’t come as a surprise, given the earlier warning signs and the growing number of CVEs, according to security pros. The private sector will have to take on many of the responsibilities that once belonged to NIST, and they’ll need to do it quickly, given that the surge in AI innovation means that not only are autonomous systems able to detect and identify even greater numbers of security flaws, but – as seen with the announcements this month by Anthropic of its Mythos Preview AI and OpenAI’s similar GPT-5.4-Cyber foundations models – they’re also more easily be able to create exploits to use against them.

“We’ve seen a dramatic spike in AI-reported valid vulnerabilities,” said Vincenzo Iozzo, co-founder and CEO of SlashID. “As a result, the new NIST policy is sensible and the categories still covered are the most critical ones. Further, LLMs [large language models] are approaching the point where they are good enough to allow individual organizations to prioritize and contextualize vulnerabilities in their environment reducing the need for enriched CVEs.”

A New Model Needed

NIST is showing that the model it’s relied on for years can’t hold up in this era of more and faster detection of vulnerabilities, according to cybersecurity experts.

Doc McConnell, Head of Policy at Finite State and a former CISA branch chief and cybersecurity advisor to the U.S. Office of Budget and Management, said there needs to be two significant changes, the first being that manufacturers need to invest more in security-by-design that includes vulnerability testing and risk assessment early in the design process and fixing flaws before they reach users.

“Second, as NIST has acknowledged, we can no longer rely on universal severity scores,” McConnell said. “Organizations need to be able to analyze the exploitability of a vulnerability within their own environment, enriched with their own context.”

Trey Ford, chief strategy and trust officer at Bugcrowd, echoed the sentiment.

“What NIST is acknowledging is something the research community has understood for years: you cannot centralize vulnerability triage at this volume and expect it to hold,” Ford said. “The signal that actually drives remediation priority has always come from real-world exploitability, not database metadata, and that requires human researchers with adversarial instincts working continuously against live environments.”

“The next generation of vulnerability programs will be built around that kind of active, distributed signal, not quarterly enrichment cycles,” he said.