In a pivotal shift that could reshape how cybersecurity teams prioritize vulnerabilities, the National Institute of Standards and Technology (NIST) has announced it will deprioritize enrichment of all Common Vulnerabilities and Exposures (CVEs) published before January 1, 2018. Enrichment refers to the process of adding detailed metadata to each CVE, such as severity scores, impact analysis, detailed descriptions, and affected software or systems.
It’s a bold move aimed at optimizing limited resources and addressing the growing backlog of new CVEs. But it also raises concerns about visibility into older vulnerabilities, many of which still pose risks in industries that struggle with legacy infrastructure and delayed patch cycles.
What Does “Deferred” Really Mean?
These legacy entries will now be marked as “Deferred” in the National Vulnerability Database (NVD). This means that they will no longer receive additional analysis unless they appear on CISA’s Known Exploited Vulnerabilities (KEV) list.
It’s important to note that these CVEs aren’t deleted or hidden. Instead, they remain searchable in the NVD and will be marked with a banner noting their Deferred status. The rollout is being done incrementally over several nights, ensuring users aren’t blindsided by the change.
Additionally, NIST is not closing the door completely on pre-2018 CVEs. Enrichment will still occur if a CVE appears on the CISA KEV catalog, signaling active exploitation, a community member submits a quality enrichment request, or if NIST’s internal triage teams identify a critical need.
While NIST’s shift may seem alarming, there are still positive ways of viewing the change. “While it may be concerning to see older CVEs – especially those with prominent vulnerabilities – now being triaged to a lower priority, the reality is that the CVE remains in the NVD,” commented Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck. “For practical purposes, this event should be a call to action for product security incident response teams (PSIRT) to both inventory all software and then triage all vulnerabilities with a Deferred status.”
Why NIST Is Making This Shift
The move is largely a response to mounting pressure on the NVD. In recent years, the volume of newly published CVEs has skyrocketed, and NIST has faced criticism for slow processing times and inconsistent enrichment.
“In many ways, NIST’s decision is an expected evolution in response to the growing number of vulnerabilities,” said Ken Dunham, Cyber Threat Director, Qualys Threat Research Unit. “Today, most organizations have hundreds to thousands of apps and associated patches across legacy, cloud, and mobile infrastructure with various dependencies.”
This strategy also dovetails with CISA’s KEV list, which has become a de facto standard for organizations seeking to triage vulnerabilities based on real-world exploitability. Now, by deprioritizing older, lower-priority items, NIST is freeing up capacity to focus on today’s most urgent threats: zero-days, software supply chain issues, and high-impact vulnerabilities that are actively exploited in the wild.
The Trade-Off: Clarity vs. Coverage
There’s logic behind NIST’s decision to defer enrichment of pre-2018 CVEs. Security teams now have a clear signal about which vulnerabilities will no longer receive detailed updates, helping them redirect resources to more urgent threats.
The move also brings vulnerability management in line with today’s risk landscape – favoring real-world exploits over theoretical exposure – and pushes organizations to rely more heavily on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
But the shift comes with trade-offs. Thousands of older CVEs still pose risks, especially in sectors like healthcare, industrial control systems (ICS), and government, where legacy systems remain common. Smaller organizations without modern patching infrastructure may find these deferred vulnerabilities far from obsolete.
Threat actors, too, often favor old, overlooked flaws. By putting these CVEs on the back burner, NIST risks creating blind spots, particularly for vendors and open-source maintainers who depend on NVD data to track and secure aging software still in active use.
“Ultimately, the decision is a calculated trade-off,” said Jason Soroko, Senior Fellow at Sectigo. “It minimizes noise and boosts focus but leaves risk mitigation for legacy systems squarely in the hands of individual organizations.”
The Rise of KEV – and the Community’s New Role
The increasing prominence of the CISA KEV catalog signals a broader trend: the decentralization of vulnerability prioritization. NIST’s move places more weight on third parties, like CISA, to determine what’s important. It also encourages the broader cybersecurity community – researchers, vendors, and even IT admins – to submit enrichment requests when a Deferred CVE proves relevant.
In other words, the responsibility for maintaining awareness of legacy threats is now shared, not centralized. NIST will continue to be a steward of the database, but it’s no longer the only voice in deciding which CVEs get attention.
What This Means for Security Teams and Vendors
Security professionals and vendors will need to adapt:
- Revisit vulnerability management tools to ensure they’re not relying solely on NVD data for prioritization.
- Incorporate additional enrichment sources, whether commercial threat intelligence platforms or open-source initiatives like VulnCheck or OSV.
- Keep an eye on legacy systems, even if those CVEs are now marked Deferred. They’re still out there – and still exploitable.
This shift also underscores the need for greater automation and context in vulnerability workflows. With fewer enriched records from NIST, teams must find new ways to assess exploitability and impact using their own telemetry or threat feeds.
A Sign of the Times
NIST’s decision marks a shift in how the cybersecurity world is adapting to a growing flood of threats. Rather than trying to cover every known vulnerability, the focus is now on the most serious risks – especially the ones that are actively being exploited. It’s also a sign that NIST is leaning more on the broader security community to help share the work of tracking and updating older vulnerabilities.
This is a realistic move in today’s fast-moving threat landscape, where new attacks appear faster than even the best security teams can respond to them. But with that shift comes a trade-off. Some vulnerabilities will fall through the cracks, and it’s up to organizations to watch for those. Just because an issue is old doesn’t mean it’s no longer dangerous – it might just be overlooked.
