NIST has modified its National Vulnerability Database enrichment policy, now prioritizing vulnerabilities with known attacker behavior signals as of April 15, 2026. This change means that only CVEs found in the CISA Known Exploited Vulnerabilities catalog, federal government software, or critical software under Executive Order 14028 will be enriched with relevant details such as CVSS scores and affected product mappings. All other vulnerabilities will be labeled as "Lowest Priority", lacking essential information for risk assessment. With NIST enriching approximately 42,000 CVEs in 2025 and a significant increase in submissions in early 2026, industry estimates suggest that only 15-20% of anticipated CVE volume will fall under the prioritized categories1. This shift in policy has significant implications for vulnerability management, making it crucial for teams to reassess their compliance strategies and prioritize vulnerabilities based on attacker behavior signals, so what matters most to practitioners is the need to adapt their vulnerability assessment and prioritization processes to align with the new NIST enrichment policy.