NIST’s National Vulnerability Database Cutbacks
4–20–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, April 20, 2026. For posterity, the War in Iran continues, despite both a deal and a blockade and maybe now not a deal but definitely a blockade. It’s complicated.
We’re going to pick up on some other news from the Federal government that has some direct bearing on your ability to secure your infrastructure.
NIST’s National Vulnerability Database Cutbacks
In an announcement made by NIST - the National Institute of Standards and Technology - last week, they said they’re changing the way they handle security vulnerabilities.
In short, because they’ve got too many cybersecurity vulnerabilities and exposures (CVEs) to address, they’re only going to add details (or “enrich”) those CVEs that appear on CISA’s Known Exploited Vulnerabilities catalog, are for software used within the Federal government, or are for critical software as defined by Executive Order 14028.
In short, they’re going to look out for the things that impact them, and maybe if we’re also impacted, we can benefit.
Now, to be fair to them, the volume increases they’re looking at are significant - up 263% between 2020 and 2025, and submissions during Q1 of 2026 are up 1/3rd compared to 2025.
But, like we’ve been talking about on this show, the pace hasn’t gone bananas yet, but will soon.
Security professionals - and NIST themselves - are already warning that this means “stuff will get missed.”
Some security teams have already moved beyond using CVEs to triage their own environments, but for those of you who leverage criticality as a way to prioritize effort, doing that without CVEs is going to be a lot harder.
The great challenge remains prioritization, and threat modeling leaders are offering advice that essentially echos the “assume breach” approach for building layers of security, but now assuming that breach all the way down to the binary level.
All of this comes on the back of funding limbo for CISA and the entire NVD program more broadly, where the latest proposed budget included an additional $707M cut.
So, where does this leave you? Less well resourced, for sure. The time to build basic security capabilities into your environment (think segmentation, least privilege, role-based access control, rapid patching capabilities, etc.) are now. It’s never going to be easier or cheaper to build these functions. Even as AI provides security teams with longer levers, the complexity of the modern environments will still leave defenders playing from their back foot.
Fundraising
From a fundraising perspective, we have another strong week, including more than $20B in newly committed capital, led by
Accel, who raised $4b for its fifth late-stage fund, plus $650m for a sidecar fund.
We’ll likely cross that $100B mark for April by next week, and you can see the themes even in Accel’s announcement, focusing on late-stage companies and a sidecar fund, allowing them to operate privately for longer. Perhaps the best (least worst?) choice now is to find a way to weather the macro storm?
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth
https://www.darkreading.com/threat-intelligence/nist-cutbacks-nvd-handling-impacts-cyber-teams
https://shostack.org/blog/vuln-finding-inflection/
https://www.afcea.org/signal-media/us-administration-proposes-707-million-cut-cisa-programs