NIST Slashes Vulnerability Database Scope After Funding Crisis

NIST is dramatically narrowing what its National Vulnerability Database actually covers. Going forward, the NVD will only analyze vulnerabilities in three categories: critical software, systems used by the federal government, and flaws under active exploitation.

The prioritization shift leans heavily on CISA's Known Exploited Vulnerabilities catalog as a guiding framework. Translation: if a CVE isn't on CISA's radar, in critical software, or touching federal infrastructure, it's going to the back of the line.

The move is a direct response to a massive backlog that piled up after a 2024 funding lapse left the database struggling to keep pace. NIST essentially had to triage its own operation.

For the broader cybersecurity community, this means less comprehensive coverage from what has long been considered the authoritative source for vulnerability data. Organizations relying on NVD for full visibility may need to look elsewhere to fill the gaps.