NIST adds CISA SSVC data to NVD starting June 17
With full enrichment capped at 15, 20 percent of new CVEs, the exploitation-status data landing June 17 covers a fraction of what assessors actually need to triage.
TL;DR
NIST will surface Stakeholder-Specific Vulnerability Categorization data from CISA in the National Vulnerability Database on June 17, adding exploitation status and safety-impact signals alongside existing CVSS scores. The addition follows NIST's April 15 decision to limit full enrichment to CVEs in the Known Exploited Vulnerabilities catalog, federal software, and "critical software" under a Biden-era executive order (roughly 15) 20 percent of new CVEs. Assessors and patch managers at contractors, MSPs, and state agencies relying on NVD for remediation decisions will still face gaps on the remaining 80, 85 percent and will need external intelligence platforms to cover them.
NIST announced May 28 that SSVC data from CISA, designated as an Authorized Data Publisher, will appear in NVD records beginning June 17. The Stakeholder-Specific Vulnerability Categorization system, developed by CISA and Carnegie Mellon's Software Engineering Institute in 2019, drives the Known Exploited Vulnerabilities catalog. It accounts for a vulnerability's exploitation status, safety impacts, and product prevalence in a single categorical assessment, a richer signal than a CVSS numeric score alone for deciding what gets patched first.
The timing follows a structural decision NIST made on April 15: under a new risk-based prioritization model, full NVD enrichment applies only to CVEs already in the KEV catalog, software used by the federal government, and "critical software" as defined by Executive Order 14028. That scope covers an estimated 15, 20 percent of new CVEs. The SSVC data landing June 17 is directly tied to that same prioritized tier, which means the enrichment expansion and the enrichment ceiling arrive as a package.
What practitioners need to account for
For assessors and patch managers who have used NVD as a primary intake, the practical shift is this: the June 17 update improves signal quality on the vulnerabilities NIST has already decided to cover; it does nothing to expand coverage of the other 80, 85 percent. Contractors under CMMC, MSPs supporting federal clients, and state agencies running GovRAMP or TX-RAMP programs that depend on NVD for framework-aligned vulnerability management will need to reconcile NVD records against external feeds (CISA's KEV catalog directly, commercial vulnerability intelligence platforms, or both) to avoid misallocating remediation resources on the uncovered tail.
CISA and the Office of the National Cyber Director are separately weighing a reduction in the agency patching window for KEV-listed vulnerabilities from 14 days to 3 days, according to media reports, a change driven by evidence that median time-to-exploitation has compressed to days. The June 17 SSVC integration makes NVD more useful precisely for the CVEs that would be subject to that shorter window. For everything outside that tier, the gap persists.
NIST is hosting a June 22 workshop on potential updates to CVSS application for hardware systems in the NVD. No funding announcement or timeline for expanding enrichment capacity beyond the current threshold has been published.
Published ·Updated ·Deep Fathom