The National Institute of Standards and Technology (NIST) has announced a major change to how older vulnerabilities are handled in the National Vulnerability Database (NVD). Moving forward, all Common Vulnerabilities and Exposures (CVEs) published before January 1, 2018, will be labeled as “deferred.”
This administrative update is part of NIST’s ongoing effort to manage the growing backlog of CVEs, streamline prioritization. And clarify which vulnerabilities are receiving active analysis and enrichment. The deferred status will be visible as a banner on each CVE’s detail page within the NVD in the coming days.
According to NIST, this update means they do not plan to prioritize enrichment or analysis for older CVEs due to their age. However, the agency made it clear that this doesn’t diminish the severity or risk posed by those vulnerabilities. It simply reflects a shift in how NIST allocates its limited resources.
“We will continue to accept and review requests to update the metadata provided for these CVE records,” NIST stated in its update. “If new information clearly supports an update to the enrichment data, we’ll prioritize it as time and resources allow.”
Why Is NIST Deferring Older CVEs?
The volume of known vulnerabilities has surged in recent years, with thousands still awaiting enrichment and deeper analysis. This sharp increase in unprocessed CVEs has forced NIST to rethink how it manages the growing dataset. The move to defer older vulnerabilities comes amid staffing cuts at the agency. Which were initiated under the Trump administration and have impacted NIST’s ability to scale up its backlog-clearing efforts.
By shifting pre-2018 CVEs to deferred status, NIST aims to focus more energy on recent vulnerabilities that may present more immediate threats. Especially those affecting widely deployed software and hardware systems.
Still, cybersecurity experts warn that organizations should not ignore deferred CVEs.
“This change does not reduce the risk or severity of these older vulnerabilities,” said Thomas Richards, infrastructure security practice director at Black Duck, “Organizations should continue to monitor and remediate any vulnerabilities in their environment. Regardless of whether a CVE is active or deferred.”
What Does ‘Deferred’ Actually Mean?
In practical terms, a CVE marked as deferred may lack the full metadata. And enrichment data normally found in the NVD. This could include missing exploit information, mitigation steps, severity ratings, or links to advisories. However, the CVE record will still remain publicly available.
Organizations that rely on the NVD for risk assessment and vulnerability management should take note of this change. While deferred CVEs may not be actively maintained by NIST. They still represent legitimate security issues that may remain unpatched in many environments.
The update is expected to roll out across the NVD within the next several days.
