The NVD Realignment: Why Selective Enrichment is a Reality Check for Exposure Management

The “NVD Crisis” has reached its logical conclusion: the National Institute of Standards and Technology (NIST) is officially tapping out on universal enrichment.

For the uninitiated — or those who haven’t been doom-scrolling security social media — the National Vulnerability Database (NVD) is shifting to a “selective enrichment” model. Translation: They are no longer going to hold our hands and tell us the severity, weakness type, and affected product for every single CVE that hits the wire.

The industry reaction has been predictably hyperbolic, ranging from “the sky is falling” to “I didn’t trust CVE scores anyway.” But if we’re being honest with ourselves (a rarity in cybersecurity marketing), this realignment is both a long-overdue reality check and a glaring spotlight on how broken our prioritization habits have become.

The “Not a Problem” Part: Generic Risk is a Lie

Let’s start with the hard truth: The volume of vulnerabilities was already unmanageable. With CVE counts jumping over 25% year-over-year, NIST’s manual analysis was never going to scale unless the industry started recruiting half the country into the “Federal Department of CVSS Scoring.”

But more importantly, a generic CVE score was never the panacea many pretended it was. Many security teams spent a decade treating a CVSS 9.8 as a universal mandate for action. In reality, that “Critical” score didn’t know if the vulnerable library was sitting on an air-gapped legacy server in an organization’s utility closet or on a public-facing web server. It didn’t know if the network had compensating controls in place, or even if the vulnerability would lead to a mission-critical system. 

Context and environment have never correlated with a centralized score. By relying solely on NVD enrichment, security teams weren’t “managing risk”; they were outsourcing critical thinking to a list that was the “easy button” for when the CEO came asking for assurances that the latest breach wouldn’t affect our organization.

The “Problem” Part: Security Isn’t Just for the Feds

Under the new system, NIST is prioritizing enrichment for three specific use cases:

1. Vulnerabilities already in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
2. Software used within the U.S. federal government.
3. “Critical software” as defined by Executive Order 14028.

This is great news if you happen to be the Department of Energy. It’s less great if you’re a mid-sized fintech or a healthcare provider with a niche (but vital) tech stack. The “visibility gap” is real. Even if a CVE score wasn’t perfect, it was at least a starting point, a “You Are Here” sign to kick off additional and individual analysis. Now, for a huge swathe of the software ecosystem, we’re just getting the CVE ID and well wishes for a peaceful weekend/holiday/vacation.

The LLM Factor: More Noise, More Bias

Having already recognized the vulnerability research bottleneck and inapplicability conundrum,  AI / LLM providers are promising to handle both the discovery and enrichment of reported vulnerabilities and exposures. With vetted security teams filled with expert prompt writers, these orgs can find and analyze the backlog faster than humans. This is, for a certain, an improvement over handcrafted analysis.

However, the result? The vulnerability backlog won’t get smaller. AI-driven discovery is going to flood the gates with even more vulnerabilities, while “proprietary enrichment” will introduce more bias. If one vendor’s AI thinks a bug is a 7.0 and another thinks it’s a 9.0, we’re back to square one, only now with more hallucinated edge cases to argue about. 

Practically, the outcome is going to be a tsunami of newly discovered CVEs with active exploits that may not be scored by NVD but which may be scored by an LLM. The LLMs’ scores will be similarly subjective to CVE scores, so SecOps and security teams will now be responsible for their assessment. This adds another layer of challenge to individual companies in terms of attack surface and exposure analysis management. 

The Elephant in the Room: CVEs ≠ Total Risk

Here is the hill many security practitioners would have died on, even before the latest announcement: Even if NIST enriched every CVE within five minutes of discovery, organizations would still be at risk.

CVEs only cover software, firmware, and hardware flaws. They don’t account for misconfigured S3 buckets, missing MFA, over-privileged service accounts, or the fact that an organization’s proprietary code will rarely (if ever) make it to the NVD for analysis. 

Vulnerabilities are just one flavor of exposure. Focusing purely on CVEs is like obsessing over the quality of a front door lock while leaving all the windows open and the spare key under the mat.

What to Do Next: From Vulnerability Management to Exposure Management

For CISOs and security engineers, the NVD realignment is permission slip to stop playing “CVE Whac-A-Mole.” Here is how to actually move forward:

1. 1. Stop waiting for the NVD. Accept that enrichment is now your organization’s job. Teams need to pull data from vendor-specific feeds, CISA KEV, and EPSS (Exploit Prediction Scoring System) to understand what actually matters.
2. Adopt “Control-First” logic. Instead of asking, “Is this software vulnerable?” ask, “Is our defensive posture capable of stopping the exploit?” If the business has runtime protection or robust identity controls that mitigate the flaw, the “Critical” CVE becomes a “when we have time” task.
3. Embrace Exposure Management. Security programs must move beyond the bug-hunting mindset. This is where a platform like Nagomi can be essential, shifting SecOps teams’ woes over missing CVSS scores to a holistic focus on Exposure Management.

Rather than listing CVEs (even with a “proprietary risk score,” like many startups offer), Nagomi analyzes seams in enforcement to map customers’ existing security controls against actual threats faced in unique environments. It’s not about finding more problems; it’s about proving which ones are actually reachable and exploitable given the controls deployed and policies implemented. 

How Security Should Assess Risk Now

Ultimately, the NVD’s “great realignment” is the wake-up call we’ve been ignoring for a long time. The real frontier isn’t a better list of bugs; it’s exposure management. While vulnerability management has trapped security teams in a cycle of “find bug, patch bug, repeat,” exposure management flips the script by focusing on the small percentage of attack paths that lead to critical systems and data. 

The benefits of exposure management aren’t theoretical: According to Gartner, organizations that prioritize security investments through a continuous exposure management program are predicted to be three times less likely to suffer a breach. Instead of drowning in a sea of generic, context-free CVEs, exposure management gives CISOs a better way to validate existing controls, fix misconfigurations, identity gaps, and unveil shadow IT that scanners won’t detect.

The NVD’s shift is a long-overdue reality check: busyness doesn’t equal security. Exposure management is the pragmatic approach, prioritizing what makes an organization truly exploitable over context-free noise. The NVD just signaled the end of the “check-the-box” era; if you’re ready to stop chasing lists and start closing the doors that have been left wide open for SecOps stacks, schedule a demo.