The National Institute of Standards and Technology (NIST) is making major changes to how it manages the National Vulnerability Database (NVD). Starting now, all CVEs published before January 1, 2018, will be marked as “Deferred.”
This means NIST will stop enriching or updating older CVEs unless they appear in the CISA Known Exploited Vulnerabilities (KEV) catalog. These Deferred CVEs will display a banner on their detail pages, clearly showing their new status. The change will roll out over several nights.
Why NIST Is Deferring Older CVEs
NIST explained the move as a way to show which CVE records are being prioritized. By flagging outdated entries, the agency hopes to bring more clarity to users who rely on the NVD for up-to-date vulnerability data.
While older CVEs are being deprioritized, NIST says it will still review update requests. If new, relevant information surfaces about any Deferred CVE, the agency may revise the record—resources permitting.
Soon after the announcement, the number of Deferred CVEs jumped to 20,000. That number could rise quickly. Security researcher Patrick Garrity noted that about one in three CVEs listed in the NVD are from before 2018. That’s nearly 100,000 entries.
Backlogs, Bottlenecks, and the Growing CVE Crisis
This shift isn’t random. NIST has faced growing delays in CVE analysis and enrichment. For over a year, the agency has been searching for ways to fix its backlog, even turning to outside help. It had hoped to clear the backlog by the end of fiscal year 2024. But due to problems with data import and processing, that didn’t happen.
Back in November, NIST said it was working on new systems to handle incoming data more efficiently. However, recent updates show the backlog has only grown. In fact, submissions went up by 32% last year. With even more expected this year, NIST is now looking at AI and machine learning to handle the surge.
A Strategic Pivot for the Cybersecurity Community
NIST’s decision signals a major pivot. Instead of spreading its efforts thin, the agency will now focus on new and actively exploited vulnerabilities. This could improve the overall quality and speed of updates for recent CVEs.
While the change may frustrate some researchers or teams relying on older CVE data, it reflects the harsh reality of limited resources and increasing threat volumes. By concentrating on today’s biggest risks, NIST aims to keep the cybersecurity community better informed and better protected.
