Skip to content

Add Decision Table for NIST CVE enrichment #1210

Description

@ahouseholder

Describe the solution you'd like

NIST has a decision model embedded in their NIST Updates NVD Operations to Address Record CVE Growth post.

New Prioritization Criteria
Starting on April 15, 2026, we will prioritize the following CVEs for enrichment:
CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
Our goal is to enrich these within one business day of receipt
CVEs for software used within the federal government
CVEs for critical software as defined by Executive Order 14028
All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as “Lowest Priority - not scheduled for immediate enrichment.” This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.
These criteria may not catch every potentially high-impact CVE. Therefore, users can request enrichment of any lowest priority CVEs by emailing us at nvd@nist.gov. We will review those requests and schedule the CVEs for enrichment as resources allow.
A full definition of critical software and a description of our new workflow, including how we will order our processing queue, is available on the NVD website.

The last link in that block includes:

NVD Scope of Coverage
NVD enrichment activities intend to address CVEs that have the greatest potential impact on the nation’s cybersecurity. The following CVEs are considered to be part of NVD’s Scope of Coverage:

  • CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
    • Within one business day of addition to the KEV Catalog
  • CVEs for software used within the federal government
  • CVEs for Critical Software as defined by Executive Order 14028

It goes on to clarify:

EO Order 14028 Critical software is defined as any software that has direct software dependencies (and one or more components with at least one of these attributes):

  • It is designed to run with elevated privilege or managed privileges
  • It has direct or privileged access to networking or computing resources
  • It is designed to control access to data or operational technology
  • It performs a critical function to trust, or it operates outside of normal trust boundaries with privileged access

What we want here:

Create an SSVC Decision Table from:

  • CISA:InKev
  • (new?) SW In use by USG
    • which namespace to use? nist or cisa?
    • do we make this a generic ssvc decision point for "sw in scope" and then make a nist refinement that fine tunes it into sw in use by USG? This seems like what the namespacing extensions were built for.
  • an extension of the Critical Software decision point to specifically make it EO 14028 relevant. I don't think we need to build a decision model for EO 14028 separately, although we could consider that as an add-on with four likely new binary decision points to match the EO criteria: "privileges: elevated"/"access:privileges"/"access control:data or OT"/"trust-critical" (we would need to design these. My suggestion would be that this issue only address the NIST decision table, and an EO 14028 decision table would spawn a separate issue.

Open questions include:

  • What is the outcome set? Is it just "enrich / don't enrich"? or "enrichment priority: low / high" or something more granular?

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions