The National Institute of Standards and Technology (NIST) is changing how Common Vulnerabilities and Exposures (CVEs) are enriched in the National Vulnerability Database (NVD) in response to rising vulnerability volumes.
The shift to a prioritized enrichment model means many CVEs will no longer include the detailed context and Common Vulnerability Scoring System (CVSS) data that vulnerability management programs use to assess risk.
In ERP environments, that change reduces consistency in risk signals for security teams and increases reliance on vendor guidance and system-specific context.
What Changed in NIST’s CVE Enrichment Model
NIST is shifting the NVD to a more selective approach.
The agency will focus detailed analysis on CVEs in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, as well as vulnerabilities tied to software used by the federal government and other critical systems.
All CVEs will still be listed in the NVD. Not all will receive the same level of detail. Lower-priority entries may appear without full analysis, including severity scores or clear mappings to affected products. That gap will change how teams manage risk.
Robert Holland, Vice President and Research Director at SAPinsider, said, security professionals “rely on information in CVE descriptions to understand and prioritize vulnerabilities.” He explained the new approach may mean that very few reported CVEs will ever be enriched. Without that context, prioritization becomes less consistent.
NIST is also stepping back from routinely assigning its own severity scores when a score already exists from the CVE issuer (CVE Numbering Authority, or CNA). That reduces duplicate work but places more weight on vendor- or submitter-provided data.
Analysis
What This Means for ERP Insiders
Risk prioritization becomes less standardized.
Security teams must reconcile inconsistent scoring and enrichment across sources, increasing dependence on internal validation and governance models to maintain decision accuracy.
How Rising CVE Volumes Forced a Change in Enrichment
NIST said CVE submissions increased 263% between 2020 and 2025, with submissions in early 2026 running nearly one-third higher than the same period the prior year.
The increase reflects several factors. Vulnerability discovery has expanded, including automated and AI-assisted tools that surface more issues. Participation in the CVE ecosystem has also grown, with more CNAs issuing identifiers, alongside a rising volume of software and components that can generate flaws.
The agency increased output to match. It enriched nearly 42,000 CVEs in 2025, more than any previous year. But that pace was still not enough to keep up with incoming volume. The NVD team has remained relatively small even as vulnerability reporting accelerated, leaving tens of thousands of CVEs without full analysis.
Backlogs persisted as submissions continued to rise. Capacity has not kept pace with demand. Now that pressure is shifting to enterprise security teams.
“While NIST has struggled to manage the CVE enrichment backlog, the shift to focusing on vulnerabilities with the widest impact will force many organizations to find other sources of information,” Holland said.
Analysis
What This Means for ERP Insiders
Vulnerability triage shifts from central to enterprise control. Organizations must build internal prioritization models as CVE growth outpaces centralized enrichment capacity and standardization.
The Impact on SAP Security Teams
The change has direct implications for ERP security programs. Enterprise environments are typically business-critical, highly integrated, and dependent on accurate vulnerability context to guide patching and risk decisions.
Security teams that depend on NVD enrichment will face gaps in vulnerability detail. After NIST’s decision, that detail will not always be available. As a result, teams may not have enough information to assess risk or decide what to fix first.
That increases reliance on vendor-provided context. ERP vendor patches and advisories, as well as other supplier data, become more important sources of information, alongside exploitability signals and internal system knowledge.
It also changes how teams monitor risk. Checking the NVD alone is no longer sufficient. Security teams will need to combine multiple sources to build a complete view of vulnerability impact across their SAP landscape.
Analysis
What This Means for ERP Insiders
ERP vulnerability management becomes context engineering. Teams must formalize how system roles, exposure paths, and business processes shape exploitability beyond external data.
About Us
ERP Today covers how ERP, cloud, and AI change the way businesses run. Our editors speak with practitioners, vendors, and analysts to surface the technology, contracts, and risks that matter for enterprise leaders.
Alongside our newsroom coverage, we run in‑person summits where ERP leaders compare notes on programs like yours, and a research practice that turns reporting like this into organization‑specific briefings and content.
SAPinsider first published a version of this article on April 24, 2026.
