NIST does not assign CVE identifiers; it enriches them, and the NIST CVE data most teams rely on is the National Vulnerability Database, where each CVE gets a CVSS score, a CPE product mapping, and references, on top of the raw record. This distinction trips up a lot of people. The CVE program and the NVD are two different things run by two different organizations, and understanding the split explains both how vulnerability tooling works and why a 2024 slowdown at NIST rippled across the entire industry.
If you consume CVE NIST data in a scanner, a compliance report, or a risk register, this is what is actually behind that feed.
Who Does What: MITRE, CNAs, and NIST
A CVE (Common Vulnerabilities and Exposures) identifier is assigned by the CVE Program, which is coordinated by MITRE and funded by CISA. Assignment is delegated to CVE Numbering Authorities (CNAs), which are vendors and organizations authorized to issue CVE IDs for their own products. When a vulnerability is found in, say, a major open-source project, the project or its vendor as a CNA reserves and publishes a CVE record with a description and references. That is the raw CVE.
NIST's role begins after that. The National Vulnerability Database (NVD), operated by NIST, ingests published CVE records and performs analysis on them. That analysis is the value-add: NIST assigns a CVSS base score and vector, maps the vulnerability to affected products using CPE (Common Platform Enumeration) identifiers, and adds a curated set of references and weakness classifications (CWE). The CPE mapping is what lets a scanner say "this CVE affects the exact package and version you have installed," which is not something the raw CVE record reliably tells you.
So when someone says they pull "NIST CVE data," they almost always mean the enriched NVD record, not the underlying MITRE CVE entry. The enrichment is the product.
The 2024 Backlog Changed the Assumptions
For years, teams treated the NVD as an authoritative, timely source: publish a CVE, and shortly after, NIST would enrich it with a CVSS score and CPE mappings you could act on. In 2024 that assumption broke, publicly and at scale.
Around February 12, 2024, NIST dramatically slowed its enrichment of new CVEs. The backlog grew fast. By May 2024, reporting indicated that the large majority of newly published CVEs, well over ninety percent, were sitting unanalyzed, without the CVSS and CPE enrichment that downstream tools depend on. Even a substantial share of vulnerabilities on CISA's Known Exploited Vulnerabilities list were affected. NIST attributed the situation to a combination of factors including a surge in CVE volume and reduced capacity, with budget pressure cited as a contributor, and on May 29, 2024, it announced additional resources aimed at working through the backlog.
The concrete impact for practitioners: a CVE could be published and genuinely exploitable while its NVD entry lacked a CVSS score and had no CPE mapping. A tool relying solely on NVD enrichment to decide "does this affect me and how bad is it" would see a blank where the answer should be. Silence in the NVD stopped meaning "not serious" and started meaning "not yet analyzed," which are dangerously different.
What This Means for How You Consume CVE Data
The lesson is not to abandon the NVD; it remains a foundational and freely available source. The lesson is to stop treating it as your single source of truth and to build in redundancy.
Do not equate "no CVSS in the NVD" with "low risk." Where the NVD lacks a score, look for the CNA's own assessment, since many vendors include a preliminary CVSS score in the original CVE record, and for exploit signals such as presence on the CISA KEV catalog, which is a stronger prioritization input than a base score anyway.
Cross-reference multiple databases. The GitHub Advisory Database, OSV, vendor advisories, and language-ecosystem sources (PyPI, npm, RubyGems advisories) frequently carry version ranges and fix information faster than the NVD's CPE analysis lands. Modern tooling increasingly aggregates several of these rather than depending on one.
Prioritize on exploitability and reachability, not just the base score. A CVSS score describes theoretical severity in isolation. Whether a vulnerable function is actually reachable in your code, and whether an exploit exists in the wild, matters far more for what you fix first. The backlog made this shift necessary rather than merely advisable.
Where This Fits in Compliance
Frameworks that reference vulnerability management, from SOC 2 to the NIST frameworks themselves, expect a defined process for identifying, scoring, and remediating vulnerabilities within set timeframes. If that process implicitly assumes timely NVD enrichment, the 2024 experience is a reason to document your data sources explicitly and to define how you score and prioritize when the NVD entry is incomplete. Auditors increasingly understand that "we waited for NIST to assign a CVSS" is not a defensible remediation timeline.
Tooling helps here by decoupling your risk decisions from any single feed. An SCA platform such as Safeguard aggregates multiple advisory sources and layers reachability analysis on top, so a package with an as-yet-unenriched NVD entry is still flagged and prioritized on the evidence that exists. If you want to see how CVSS, KEV, and reachability combine into a prioritization model, our security academy works through building a defensible vulnerability-management process.
FAQ
Does NIST assign CVE IDs?
No. CVE identifiers are assigned by the CVE Program (coordinated by MITRE, funded by CISA) through CVE Numbering Authorities. NIST operates the National Vulnerability Database, which enriches already-assigned CVEs with CVSS scores, CPE product mappings, and weakness classifications.
What is the difference between a CVE and the NVD?
A CVE is the raw vulnerability identifier and description issued by a CNA. The NVD (NIST's database) is the enriched version of that record, adding a CVSS base score, CPE mappings to affected products, CWE classifications, and curated references.
What happened to the NVD in 2024?
Beginning around February 2024, NIST sharply slowed its enrichment of new CVEs, leaving the large majority of newly published vulnerabilities without CVSS scores or CPE mappings for months. NIST announced additional resources in May 2024 to address the backlog.
Should I rely only on NIST CVE data?
No longer safely. Treat the NVD as one foundational source but cross-reference the GitHub Advisory Database, OSV, and vendor advisories, and prioritize using exploitability signals like CISA KEV and reachability rather than waiting on NVD enrichment alone.