Introduction
On April 15, NIST announced a prioritized enrichment model for the National Vulnerability Database (NVD). While most CVEs will still be published, fewer will receive the comprehensive CVSS scores, CPE mappings, and CWE classifications that container scanners and compliance programs have historically depended on. This change formalizes a trend visible over the past two years, and it directly impacts how container security teams prioritize vulnerabilities, set SLAs, and automate scanning decisions. If your program assumed NVD would always be the authoritative secondary layer for CVE enrichment, now is the time for a structured reassessment. This guide provides actionable steps to update your container security workflow accordingly.
What You Need
- Current inventory of container images and base OS layers used in your environment
- Access to NVD API or feeds (or a third-party vulnerability database that aggregates NVD data)
- List of CVEs affecting your containers (from your scanner, SBOM, or CVE sources)
- Container vulnerability scanner that supports policy-based prioritization (e.g., Trivy, Grype, Snyk, or commercial tools)
- Basic understanding of CVSS, CPE, and CWE—enough to know what enrichment looks like
- Contact email for NVD enrichment requests: nvd@nist.gov (if needed)
Step-by-Step Guide
Step 1: Audit your current CVE enrichment reliance
First, map how your container security program uses NVD fields. Review your scanner’s prioritization logic: does it weight CVSS scores heavily? Does it rely on CPE for matching or CWE for categorization? Look at your SIEM rules or alerting—are any thresholds based on CVSS base scores? Document every place where enrichment data directly influences decisions (e.g., “ignore CVSS < 7.0” or “require CPE match to trigger fix”). This audit reveals which automations will break when enrichment is missing.
Step 2: Identify which CVEs in your backlog lose enrichment
Fetch your current set of CVEs (from your scanner, SBOM, or watchlist). Cross-reference each CVE against NIST’s new enrichment criteria: only CVEs in CISA Known Exploited Vulnerabilities catalog, those affecting federal government software, or those in critical software per Executive Order 14028 will get full enrichment. All others go to “Not Scheduled.” For unenriched CVEs, check if the original CVE Numbering Authority (CNA) provided a CVSS score—NIST is no longer duplicating that. Make a list of CVEs that are now missing CVSS scores, CPE mappings, or CWE classifications. This is your “enrichment gap” list.
Step 3: Adjust scanner policies to handle missing fields
Most container scanners allow custom policies or severity overrides. For each missing CVSS score, decide a fallback approach: use the CNA-provided score if available, or set a default medium/high severity based on your risk appetite. If your scanner can’t handle missing fields, consider a workaround: enrich CVEs manually from other sources (like VulnDB or OSV) before importing. For CPE mappings, switch to package-based matching using SPDX or CycloneDX SBOMs instead. Update your CI/CD pipeline rules to not fail or auto-remediate based solely on NVD enrichment.
Step 4: Prioritize using alternative data points
With less NVD enrichment, shift prioritization to real-world exploit activity. Integrate feeds from CISA KEV, Exploit-DB, or threat intelligence platforms. Weight CVEs based on:
- Presence in the CISA KEV catalog (highest priority)
- Active exploitation reported in open-source or commercial feeds
- Reachability analysis (can the vulnerability be triggered in your container?)
- Severity derived from CNAs or from tools like VulnCheck
Step 5: Request enrichment for critical CVEs not covered
If you find a CVE affecting your containers that is critical but not in the enriched categories, you can request enrichment by emailing nvd@nist.gov. Note that NIST provides no service-level timeline. For high-severity CVEs in your environment, consider paralleling this with a manual assessment using other databases. Keep a log of requests and escalate internally if needed. This step is best used sparingly—only for vulnerabilities where risk is high and no alternative enrichment exists.
Source: www.docker.com Step 6: Update your SLAs and compliance documentation
Review your security policies, especially those that reference NVD enrichment as a qualifying factor. For example, if your SLA says “fix all CVSS 9+ within 7 days,” change it to “fix all CVEs with active exploit evidence within 7 days.” Update contracts or audit checklists that assume NVD will provide full enrichment. Communicate changes to your compliance, GRC, and operations teams so they understand why scanner findings may appear incomplete.
Step 7: Monitor NIST’s evolution and test quarterly
NIST’s enrichment model may adapt. Subscribe to NVD announcements and re-run your enrichment gap audit every quarter. Also test your fallback policies: simulate a scenario where several critical CVEs lack NVD enrichment and verify that your scanners and processes still produce accurate priority lists. Consider using a third-party vulnerability database as a supplementary source to reduce dependence on NVD enrichment.
Tips for a Smooth Transition
- Don’t abandon NVD entirely—it still publishes all CVEs and enriches the highest-risk ones. Use it alongside other sources.
- Explore alternative enrichment feeds: OSV (Open Source Vulnerabilities) for open-source packages, VulnDB for commercial coverage, or NIST’s own CVE API at
services.nvd.nist.gov/rest/json/cves/2.0(with enrichment status). - Invest in reachability analysis—knowing if a vulnerable function is actually called in your container reduces noise.
- Train your scanning tool to ignore CVSS scores from CNAs if they are not consistent with your risk model.
- Communicate changes to developers: explain why some older CVEs may lose severity scores so they don’t ignore new findings.
- Consider using a CVE-to-EPSS feed (Exploit Prediction Scoring System) to prioritize based on probability of exploitation, independent of NVD enrichment.
By systematically reassessing how your container security program relies on NVD enrichment, you can maintain effective vulnerability prioritization and compliance posture even as NIST narrows its scope. The key is to diversify data sources and shift from static CVSS-based gates to context-aware, exploit-driven decision-making.