NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities

The National Institute of Standards and Technology has revised its approach to analyzing security vulnerabilities, prioritizing only those that appear in the Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog, as well as software used in the federal government and critical software. This shift in focus is a response to the overwhelming volume of vulnerabilities being discovered, which has become increasingly difficult for the agency to keep pace with. By narrowing its scope, NIST aims to ensure that the most critical vulnerabilities are addressed, particularly those that are being actively exploited by attackers. The National Vulnerability Database will now focus on these high-priority vulnerabilities, rather than attempting to analyze all reported defects¹. This change in strategy matters to security practitioners, as it highlights the need to prioritize vulnerability management efforts on the most critical and exploited vulnerabilities, rather than trying to address every potential issue.