On April 15, NIST stopped routinely enriching most CVEs in the National Vulnerability Database. Going forward, analysts only enrich vulnerabilities that hit CISA's Known Exploited Vulnerabilities catalog, affect federal software, or touch critical software defined under Executive Order 14028. Roughly twenty-nine thousand backlogged CVEs moved to "Not Scheduled."
The trade press is calling this a funding story. It isn't. Funding is the symptom. The disease is that the world let one US federal agency hold something critical to the entire internet, and nobody planned for the day the political winds moved. The winds always move. We pretended cybersecurity infrastructure was the exception.
We've seen this movie before
Look at what political shifts have done across US institutions. The National Endowment for the Arts. The Kennedy Center, one of the greatest performance venues in the US, now living through political restructuring. The National Parks, watching budgets swing administration to administration. PBS and NPR, facing the permanent possibility of defunding every appropriations cycle.
None of that is new. It's the baseline assumption for any public institution in the US. Cybersecurity leadership decided the NVD would be the exception. It was always going to be Kennedy Center with a CVSS score attached. We just hoped the spotlight would stay elsewhere.
The water treatment plant we never built
Imagine a city that never built its own water treatment plant because the neighboring town let it hook into theirs for free. The water was clean and reliable. Year over year the city added housing, industry, and hospitals drawing from the neighbor's pipe. Nobody built redundancy because the pipe was fine.
Then the neighboring town elected a new mayor who wants to cut the pipe. The city has no backup, no treatment plant, no trained operators, no plan.
That's the NVD. The city is global vulnerability management. The pipe is CVE enrichment. We had thirty years to build our own plant and didn't, because theirs worked and ours felt like a duplicate cost.
The commercial replacement is a trap
The vendors are already in your inbox. Several scanner vendors have been building their own enrichment feeds for years and are ready for this moment. Credit where it's earned. Commercial enrichment is a fine short-term answer. It's a bad permanent one.
A commercial gate is still a gate, even when it starts open. Early access is generous, pricing is reasonable, then the acquisition happens, the revenue model matures, or the CFO asks why the enterprise tier isn't protected better, and the terms change. Researchers get rate-limited. Smaller vendors get locked out of integrations. The thing everyone relied on becomes the thing only paying customers can rely on.
Uncle Sam owned the data and could poison it with politics. A vendor will own the data and can poison it with pricing. Different failure modes. Same outcome.
Three paths worth arguing about
This is where I stop prescribing and start asking. There are three candidate paths for who should actually hold this infrastructure, and the industry has not had the argument out loud yet.
Path one: MITRE spins out. MITRE already holds the CVE program, is mission-aligned, and has the institutional knowledge to run modern enrichment. The move is to spin MITRE out of its US FFRDC structure into an independent international non-profit, diversify funding across governments and industry, and commit to an open API with transparent governance. The risk is credibility. Critics outside the US will reasonably ask whether a spin-out is really independent or just a rebrand.
Path two: the EU leads. The EU Cyber Resilience Act, GDPR, and a decade of privacy and security leadership give the EU both the mandate and the institutional muscle. An EU-led custodian, open to the world, wouldn't have to argue for independence. It would have to earn trust with the non-EU world, which is a well-understood problem. The risk is scope. Europe has its own political winds, budget cycles, and regulatory priorities that may not align with global vulnerability research in the long run.
Path three: a genuinely new international non-profit. Charter explicitly multi-jurisdictional. Governance deliberately anti-capture. Funding diversified across governments, industry, and foundations, with no single source exceeding a threshold. MITRE is a founding partner but not the host. The EU contributes but doesn't own. This is the slowest path. It's also the most durable if anyone can stand it up.
I have a preference. I'm not sharing it here, because I don't want this piece to be the reason the industry lands on one path versus another. I want the argument to happen.
The uncomfortable truth
We built the global vulnerability management ecosystem on top of a US federal agency because that agency was willing to do the work, and because free public infrastructure felt too good to question. Free public infrastructure is the best infrastructure when the public institution is stable. When it stops being stable, the cost of the assumption compounds fast. Every scanner vendor, every MSSP, every in-house program, and every open source security tool is absorbing that cost at the same time.
We built the broken system on purpose, collectively, because the alternative felt expensive. Now we get to pay for the alternative anyway, just later and with worse options.
To CISOs (short term)
Turn to your partner network. Ask the scanner vendor you trust, the MSSP you've worked with for five years, the peer CISO whose program you respect. Someone in your circle already has an enrichment answer that works, is cheap, and integrates with what you own. We are all in the same boat right now.
While you're doing that, stop relying on CVSS as your severity answer. Attack path context beats raw score, and it doesn't depend on whether NIST is scoring CVEs this week.
To CISOs (long term)
Push. Every industry conversation, every board meeting, every vendor call. Ask out loud: who should own this? What governance model keeps the data open through political cycles and acquisition cycles? Make the absence of an answer the uncomfortable fact in the room. Industry coalitions get built when enough leaders keep saying the same thing in the same rooms. Start saying it.
To industry
Pick one of the three paths and argue for it openly. If you favor a MITRE spin-out, fund the feasibility work. If you favor an EU-led custodian, build the transatlantic coalition. If you favor a new international non-profit, put a founding donor check in front of a working group. What does not work is waiting. The market fills vacuums quietly, and it fills them with pricing power rather than open access.
The bottom line
The NVD isn't under-funded. It's a broken system. The work is still essential. The infrastructure that supported it was always politically contingent, and we pretended it wasn't. Three paths are on the table. All of them are cheaper than spending the next decade rebuilding private enrichment pipelines behind commercial gates and calling it progress.
Argue about the path. Pick one. Fund it. Stop pretending that water treatment is someone else's problem.
Sources
- NIST: Updates to NVD operations to address record CVE growth
- Help Net Security: NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs