NIST NARROWS VULNERABILITY DATABASE FOCUS

NIST's decision marks a substantial change in how the agency manages its vulnerability analysis workload. The database will now concentrate on CVEs listed in CISA's known exploited catalog and vulnerabilities affecting federal government systems. The funding lapse in 2024 created a substantial backlog that exceeded the agency's capacity to analyze all reported vulnerabilities. Rather than process submissions across the board, NIST is implementing a triage approach focused on threats with the highest impact and immediate risk. Critical software vulnerabilities—those affecting widely-used systems—remain the primary focus. Vulnerabilities already documented as exploited in the wild by CISA take precedence, reflecting the real-world threat landscape. The shift acknowledges resource constraints while maintaining focus on vulnerabilities posing the greatest risk to organizations and government infrastructure. NIST continues accepting submissions for all vulnerability types, though analysis timelines for lower-priority entries may extend significantly.