NIST has formalized a prioritized enrichment model for the National Vulnerability Database (NVD), meaning most CVEs will no longer receive CVSS scores, CPE mappings, or CWE classifications. Only CVEs in CISA's KEV catalog, those affecting federal government software, and those under EO 14028 'critical software' will get full enrichment. This shift formalizes a two-year drift and has significant implications for container security programs that rely on NVD as their primary vulnerability intelligence source. The post explains how compliance frameworks (FedRAMP, PCI-DSS 4.0, NIST SP 800-53) are affected, how CPE gaps propagate through container image layers, and what questions to ask image vendors. Docker Scout and Docker Hardened Images are presented as solutions that aggregate 22 advisory sources and use PURLs instead of CPE for package matching, reducing dependence on NVD enrichment.
Table of contents
What changedThe NIST volumes behind the decisionHow it lands in complianceThe gap that is relevant to the container ecosystemQuestions worth putting to image vendorsWhere Docker sitsWhat to reassessSources and further readingSort: