Pitch Black

"You're not afraid of the dark, are you?" Europe navigates by the light of American standards. That light is going out.

On February 12, 2026, the Boulder Reporting Lab reported that the National Institute of Standards and Technology (NIST) was imposing a two-to-three-year cap on international doctoral and postdoctoral researchers at its Boulder (Colorado) and Gaithersburg (Maryland) campuses¹. Until then, researchers stayed as long as their thesis or project required. Under the new policy, experiments that have been running for years will have to stop before completion.

The news circulated in scientific circles. It barely registered in cybersecurity circles. It should have.

NIST operates the National Vulnerability Database on which the vulnerability management programs of nearly every Western organization depend. It standardized the post-quantum algorithms ML-KEM, ML-DSA and SLH-DSA that ANSSI, ENISA and BSI recommend for the cryptographic migration². Its Cybersecurity Framework is explicitly referenced in the Regulatory Technical Standards (RTS) of DORA and in the national transpositions of NIS2 in Italy, Ireland and Cyprus³. Its standards structure the CISSP body of knowledge, the certification that ENISA maps to six of twelve roles in its own European Cybersecurity Skills Framework⁴.

The empirical limits of MITRE's defensive frameworks are documented⁵: ATT&CK capped at 21% SIEM coverage, D3FEND built on a patent corpus with no measure of effectiveness. The question of federal funding on which ATT&CK depends and the question of what model replaces detect-and-respond converge here: toward the institution that produces the upstream standards.

The restriction on foreign researchers is the eighth in a series of eight vectors striking NIST simultaneously since January 2025. Taken individually, each is an administrative incident. Their convergence is a regime change.

The eight vectors

1. Leadership vacancy

NIST has had no Senate-confirmed director since January 2025. Laurie Locascio, who had overseen the launch of the AI Safety Institute, the finalization of post-quantum standards and the update of the Digital Identity Guidelines, left to lead ANSI⁶. Craig Burkhardt serves as Acting Director, an interim with no mandate for multi-year decisions on budget, recruitment or strategic direction⁷.

Arvind Raman, dean of engineering at Purdue, nominated by Trump in November 2025, was advanced by the Senate Commerce Committee in March 2026 in a party-line vote of 16-12⁸. Before Chairman Ted Cruz, Raman pledged to "reorient NIST to its apolitical mission and ensure that it does not serve as an engine for divisive left-wing ideology, even under the guise of 'safety'"⁹.

In parallel, CISA has had no confirmed director since January 2025. Sean Plankey, nominated in March 2025 then re-nominated in January 2026, withdrew his candidacy on April 22, 2026 after thirteen months of Senate blockage: "It has become clear the Senate will not confirm me"¹⁰. No successor has been announced. The agency has had three acting directors in over a year, its workforce has been cut by a third¹¹, and the administration is proposing further cuts in the FY2027 budget. NIST has operated without confirmed leadership for over a year, and CISA now has no candidate at all. The nominee set to lead NIST explicitly frames his mission as a continuation of the AISI → CAISI pivot.

2. DOGE layoffs

Seventy-three probationary employees at NIST were laid off on March 3, 2025 by the Department of Commerce. 42 of them had been hired under the CHIPS and Science Act of 2022 to strengthen capabilities in critical technologies (AI, quantum, semiconductors)¹². The initial threat covered 500 positions, roughly 15% of the total workforce of 3,400¹³. DOGE staff were spotted in Building 225 on the Gaithersburg campus, the building that houses the Information Technology Laboratory, before any official announcements¹⁴.

Twenty-two Democratic lawmakers summarized the stakes in a letter to Commerce Secretary Howard Lutnick: "Removing national and international leaders from the nonpartisan and professional civil service at NIST would hamper the development of critical standards, threaten industrial and consumer safety, and weaken American leadership around the world."¹⁵

3. Cybersecurity expert exodus

In May 2025, Cybersecurity Dive documented the departures of Matthew Scholl, head of the Computer Security Division (CSD) within the NIST Information Technology Lab; Tim Hall, head of the Security Testing, Validation and Measurements group; David Ferraiolo, head of the Secure Systems and Applications group; and David Cooper, a member of the cryptography team¹⁶.

A former NIST employee described the departures as "massive." Nick Reese, formerly of the Department of Homeland Security, warned that the research underpinning NIST's work on risk management and security "will suffer from a loss of critical institutional knowledge. This will not be easy to replace." On post-quantum cryptography, his assessment was direct: "the quantum issue will need new champions or risk falling to the backburner," an outcome that would threaten the security of enterprises and governments worldwide¹⁶.

4. Neutralization of the AI Safety Institute

In February 2025, AISI director Elizabeth Kelly announced her departure. Chief AI adviser Elham Tabassi and AI Risks and Impacts lead Reva Schwartz also left. AISI staff were not invited to the AI Action Summit in Paris. The United States and the United Kingdom refused to sign the final communiqué¹⁷.

Four months later, AISI was renamed the Center for AI Standards and Innovation (CAISI). Lutnick commented: "For far too long, censorship and regulations have been used under the guise of national security. Innovators will no longer be limited by these standards."¹⁸ The pivot was explicit. The institute meant to evaluate AI risks became an innovation accelerator.

JD Vance, at the Paris summit: "I'm not here this morning to talk about AI safety. I'm here to talk about AI opportunity."¹⁷

5. Attempted 43% budget cut

The Trump administration proposed cutting the NIST budget from $1.46 billion to $839 million, a 43% reduction. The breakdown: 35% cut to scientific and technical research, 82% to industrial technology services, 556 positions eliminated from Laboratory Programs¹⁹.

Faced with this proposal, Congress pushed back. Final FY2026 appropriations came in at $1.847 billion, 21% above FY24/25 levels¹⁹. But this bipartisan resistance rests on fragile ground: a significant share of the increase comes from earmarks directed at congressional districts rather than NIST operational programs, and a continuing resolution would restore the administration's discretion to allocate funds around the congressional vote.

6. Abandonment of universal NVD enrichment

In January 2026, Jon Boyens, acting chief of the Computer Security Division, stated that NIST was "reassessing its role" in software vulnerability analysis²⁰. He wanted to "stop using the word backlog" and expressed skepticism toward CISA's Vulnrichment project ("I don't think it's a solution to the backlog"²⁰) and concern about the European GCVE system, fearing a "balkanization" of the process. In April 2025, NIST had already marked "Deferred" all CVEs published before January 1, 2018²¹.

Three months later, the reassessment reached its conclusion. NIST announced on April 15, 2026 that it would stop enriching all CVEs submitted to the NVD²². Only three categories will now receive priority treatment: CVEs listed in CISA's KEV catalog (target: one business day), CVEs affecting software used by the U.S. federal government, and CVEs for critical software as defined by Executive Order 14028. Everything else will be published but classified as "Lowest Priority – not scheduled for immediate enrichment." The entire backlog prior to March 1, 2026 has been moved to "Not Scheduled." NIST will no longer provide an independent severity score when the submitting CNA has already assigned one²².

A few orders of magnitude document the threshold: CVE submissions up 263% between 2020 and 2025. Up 33% in Q1 2026 alone compared to the same period in 2025. 42,000 CVEs enriched in 2025, an all-time record (+45% year-on-year), still insufficient to absorb the incoming flow. Harold Booth, NIST computer scientist, acknowledged it at VulnCon26: "Our ability to keep up is just not there"²³. The Forum of Incident Response and Security Teams (FIRST) forecasts approximately 59,000 new CVEs in 2026, the first time the 50,000 threshold will be crossed²³. At VulnCon26, an organizer estimated he "would be surprised if Anthropic and OpenAI were not CVE Numbering Authorities by the end of 2026"²⁴. The entry into production of AI-assisted vulnerability discovery tools will accelerate submission volumes beyond what NIST can absorb.

Explicitly US-centric, the three prioritization criteria transform the NVD. The NVD functioned as a global informational commons. It has become a service calibrated to the operational interests of the U.S. federal government. For European organizations that imported this data as the raw material of their vulnerability management programs, free, neutral, and exhaustive enrichment is over.

7. Near-extinction of the CVE program

MITRE warned on April 15, 2025 that the CVE program funding contract ($57.8 million annually²⁵) would expire the next day with no announced renewal. CISA exercised a last-minute contract option to extend for 11 months, through March 2026²⁶. MITRE had already lost 440 employees and $28 million in federal contracts canceled by the administration²⁷.

Created as an emergency measure, the CVE Foundation aims to decouple the program from its single funder. ENISA's EUVD and CIRCL Luxembourg's GCVE accelerated their launches²⁸. On January 21, 2026, the CVE Board was informed that there would be "no funding cliff in March" and that operations extended "well beyond that timeframe"²⁹. The arrangement is described as "more durable" but remains opaque: one board member calls it a "mystery contract," MITRE has refused to publish the agreement, and a FOIA request has gone unanswered. The program on which the planet's vulnerability policies depend is now funded without its own administrators knowing the terms of its funding.

8. Restriction of international researchers

Under the announced policy, international doctoral and postdoctoral researchers were to be capped at two years (one-year extension possible). NIST applied a risk matrix by country of origin. "High risk" countries (China, Russia, Iran, DPRK, Cuba, Venezuela, Syria) were to face review before March 31, 2026. "Medium risk" countries before September 30. "Low risk" countries, including G7 and Five Eyes members, before December 31, 2026, with agreements limited to two or three years¹.

The classification was telling. France, Germany and the United Kingdom were not "trusted." They were "low risk." The distinction belongs to a national security matrix, not the vocabulary of alliance. Before hiring an international researcher, lab directors had to demonstrate that no qualified American candidate was available¹.

On the Boulder campus, morale was described as "fragile." "There have been tears in the office"¹. Icarus Quantum, a NIST Boulder spin-off that had received $400,000 to develop quantum technologies, sought alternative facilities in California, Boston and Chicago³⁰.

On March 6, 2026, after three weeks of congressional and press pressure, Burkhardt sent an email to NIST staff: "There is no explicit ban on foreign national research associates from any country, nor any mandated time limit or cap for the length of an associate's potential tenure at NIST"³¹. The same email noted that "NIST is currently reviewing its research security protocols to ensure alignment with evolving laws and guidance" and that the rules "could change again." Restrictions on after-hours lab access remain in place³². The formal policy was withdrawn. The intent remains documented.

The topology of dependency

This series has documented the first two levels of European dependency on the American system. This article documents two more.

The first level is vulnerability data³³. The NVD processes CVEs, CISA KEV prioritizes exploited vulnerabilities. Europe imports this data as raw material for its vulnerability management programs. The documented problem: 85% dependency on American data. Since April 15, 2026, the problem has changed in nature: the NVD has formally restricted its enrichment to vulnerabilities deemed priority for the U.S. federal government. The dependency is no longer merely technical. It is now subject to a sovereign filter.

At the second level, the defensive grammar⁵. ATT&CK provides the threat taxonomy. D3FEND catalogs countermeasures. These frameworks structure how Western organizations think about attack and defense. The documented problem: survivorship bias, stagnant coverage, no measure of effectiveness.

NIST is the third level: normative production itself. The post-quantum standards (FIPS 203, 204, 205) that the world is adopting are NIST products, even though the underlying algorithms were designed by predominantly European teams. The Cybersecurity Framework is a NIST product: DORA's Regulatory Technical Standards, a binding European regulation for the entire financial sector, explicitly reference it alongside NIS2 and the ISO 27000 series³. Three national NIS2 transpositions cite it by name: Italy built its National Framework for Cybersecurity and Data Protection on it, Ireland and Cyprus reference it in their legislation³.

At the fourth level, the deepest: training. The CISSP is the highest-paying cybersecurity certification in EMEA, recognized as Master's equivalent by UK NARIC, and mapped by ENISA to six of twelve roles in its European Cybersecurity Skills Framework⁴. Its Domain 1 (Security and Risk Management, 16% of the exam score) explicitly tests "Security control frameworks" and "Risk frameworks" including NIST³⁴. The European professionals who design architectures, write risk policies and operate SOCs were trained on a body of knowledge in which NIST is a central pillar. The dependency goes beyond tools and data. It is in the minds that operate the defense.

The difference between the four levels is qualitative. At the first, degradation has changed in nature: what was a passive enrichment backlog became, in April 2026, an active restriction scoped to American sovereign criteria. At the second, the limits run deep: the frameworks do what they can given the biases built into their construction methods. At the third, degradation is active and deliberate. NIST is not suffering from a lack of resources. It is subject to a deliberate policy of reduction, reorientation and closure. At the fourth, the dependency is invisible: it is perceived as universal knowledge, not as a dependency.

Budget increase voted by Congress. Researchers fired by the administration. Congress funds research. The administration renames the AI safety institute as an innovation center. Congress maintains the Manufacturing Extension Partnership. The administration tries to eliminate it. The tension between legislative and executive branches runs through NIST end to end. The experts who leave do not come back.

What is emerging

Europe has begun building alternatives, but they cover only one of the four documented dependency levels: vulnerability data.

The EUVD (European Vulnerability Database), launched in beta by ENISA in May 2025, positions itself as the European equivalent of the NVD. It uses its own identifiers, enriches CVEs with additional metadata, and offers three specialized views: critical vulnerabilities, actively exploited vulnerabilities, and vulnerabilities coordinated by European CSIRTs³⁵. The Cyber Resilience Act will make notification of actively exploited vulnerabilities mandatory from September 2026.

Launched in January 2026 by CIRCL Luxembourg, the GCVE (Global CVE Allocation System) adopts a decentralized model with 25+ public sources and European infrastructure. The system allows GCVE Numbering Authorities (GNA) to allocate and publish identifiers independently, without centralized approval³⁶.

These initiatives address a real need. But the limits are documented. VulnCheck's analysis of the EUVD shows that the main API does not return 50,000+ CVEs that exist on the website³⁷. The EUVD remains in beta. The GCVE is two months old. Neither has the 450+ CNA network, commercial security tool integration, or 25 years of global standardization inertia that the American system has built.

Europe does not lack initiatives. The EUCC has been certifying products since February 2025, some forty CRA standards are under development at CEN, CENELEC and ETSI, and CEN/CENELEC has created a mirror group for post-quantum cryptography. But where NIST produces an integrated architecture (data, frameworks, cryptographic standards and training that cross-reference each other), Europe disperses its efforts among ENISA, CEN/CENELEC, ETSI, CIRCL and national agencies with no overarching architecture. No European governance framework replaces the CSF that DORA and three NIS2 transpositions continue to reference. No training corpus substitutes for NIST in the certifications that ENISA itself recommends. Europe is building parts. It has no system.

On the regulatory side, the gap is just as visible. The Cyber Resilience Act mandates 24-hour vulnerability reporting that relies on an identification infrastructure (CVE/NVD) that Europe does not control and does not produce at sufficient scale³⁸. The post-quantum algorithms that ANSSI recommends (ML-KEM, ML-DSA, SLH-DSA) gained worldwide industrial adoption because NIST standardized them as FIPS, and the team that led that process has just lost its leaders, even though the underlying algorithms were designed by predominantly European researchers. Europe funds the research. NIST turns it into a standard. When NIST loses that capacity, European research loses its normative outlet.

What I don't know

I don't know whether the US Congress will continue to shield NIST from executive branch cuts. The current bipartisan balance depends on a limited number of lawmakers who understand NIST's role in industrial competitiveness. That balance can shift at the next midterm election or with the next continuing resolution.

I don't know whether the experts who left NIST (Scholl, Hall, Ferraiolo, Cooper, Kelly, Tabassi, Schwartz) will be replaced by equivalent profiles. Federal scientific recruitment in the US competes with the private sector, and the current climate within the agency does not favor attracting top talent. The brain drain documented by the Congressional Research Service at other agencies (NOAA, EPA) after similar episodes suggests reconstitution timelines of five to ten years.

I don't know whether the EUVD and GCVE will reach the critical mass needed to become operational alternatives to the American system. Adoption depends on integration into commercial tools (SIEMs, vulnerability scanners, threat intelligence platforms), and those tools are mostly built by American vendors whose interests do not necessarily align with European normative sovereignty.

I don't know what is in the contract that now funds MITRE's CVE program beyond March 2026. The CVE Board administrators themselves don't know. FOIA requests have gone unanswered. The program exists; its governing body doesn't know the terms of its existence.

I don't know how CVSS scores self-assigned by CNA vendors will behave in the absence of independent NIST arbitration. The conflict of interest is structural: the entity that produces the vulnerable software assigns the score that determines remediation priority. Nor do I know whether European national CERTs (CERT-FR, CERT-EU, regional CSIRTs) will absorb the analytical burden that the NVD has just transferred. At constant budgets, this is a silent cost transfer from the U.S. federal government to the rest of the chain.

What I know: eight degradation vectors are simultaneously striking the organization on which all four levels of Europe's defensive posture depend, from vulnerability data to the training of professionals. None of these dependency layers has an operational Plan B.

The question posed previously was: what model replaces detect-and-respond when it reaches its empirical limits? The question assumes that an institution exists that can produce the next model. The eight vectors documented here show that this institution is undergoing active transformation. The organization that should be designing post-detect-and-respond has tried to expel its foreign researchers, is losing its cryptography experts, renaming its AI safety institute, has formally stopped enriching vulnerabilities it does not deem priority for the U.S. federal government, and surviving thanks to a Congress that votes against its own executive.

Europe imported defensive tools that plateau, then built its regulatory compliance on standards produced by an organization where eight degradation vectors converge at the same time. The tenant discovers that the landlord has stopped maintaining the building, is changing the locks and firing the engineers.

Fifteenth article in a series on the structural flaws of Western cybersecurity (articles 1-5 in French):

• Article 1 : La vulnérabilité de la gestion des vulnérabilités
• Article 2 : La dépendance européenne aux standards américains
• Article 3 : Les États, architectes cachés du marché noir des vulnérabilités
• Article 4 : L'IA ou l'effondrement du modèle défensif occidental
• Article 5 : Desert Power — survivre sans l'Empire
• Article 6: I Am Altering the Deal
• Article 7: The Last Channel
• Article 8: Lord of Cyber War
• Article 9: The digital hawks
• Article 10: They Live... we sleep
• Article 11: Soylent Green
• Article 12: Ghost in the Binary
• Article 13: Now You See Me
• Article 14: The Prestige

References

¹ Boulder Reporting Lab, "At Boulder's NIST, three-year cap on international researchers sparks fears of a scientific exodus" (February 12, 2026) — 2-3 year cap, risk matrix by country, requirement to prove no qualified American candidate available. "There have been tears in the office." https://boulderreportinglab.org/2026/02/12/at-boulders-nist-three-year-cap-on-international-researchers-sparks-fears-of-a-scientific-exodus/

² NIST, FIPS 203, 204, 205 (August 2024) — ML-KEM, ML-DSA, SLH-DSA. First post-quantum standards. Adoption: Cloudflare (default for all clients since January 2026), ANSSI, ENISA, BSI recommendations. https://csrc.nist.gov/publications/fips

³ Deloitte, "DORA Regulation — ICT risk management in light of ESAs' RTS" — DORA ICT risk management RTS contain "direct references to other European and international regulations and standards (including NIS2, NIST cybersecurity framework, as well as standards from the ISO 27000-series)." ECSO NIS2 Transposition Tracker: Italy built its National Framework for Cybersecurity and Data Protection on NIST CSF 2.0 (updated 2025); Ireland references NIST CSF 2.0; Cyprus references NIST 800-53. https://www2.deloitte.com/dk/da/pages/risk/articles/DORA-Regulation-ICT-risk-management-in-light-of-ESAs-recent-publication-of-additional-Regulatory-Technical-Standards.html https://ecs-org.eu/activities/nis2-directive-transposition-tracker/

⁴ ISC2, "CISSP in the ECSF — Understanding How the Certification Maps" (May 2025) — CISSP mapped to 6 of 12 roles in ENISA's European Cybersecurity Skills Framework. Recognized as Master's equivalent (RQF Level 7) by UK NARIC (May 2020), transferable in Europe via the European Qualifications Framework. Highest-paid certification in EMEA (Global Knowledge). https://www.isc2.org/Insights/2025/05/CISSP-in-the-ECSF-Understanding-how-the-certification-maps

⁵ See in this series: "Now You See Me" (ATT&CK: survivorship bias, 21% SIEM coverage, federal funding) and "The Prestige" (D3FEND: patent corpus, no measure of effectiveness).

⁶ FedScoop, "NIST Director Laurie Locascio to depart in January" (October 2024) — Locascio oversaw AISI, PQC standards, Digital Identity Guidelines. Departure to ANSI. https://fedscoop.com/nist-director-laurie-locascio-to-depart-in-january/

⁷ NIST, "Our Leadership Team" — Craig Burkhardt, Acting Under Secretary and Acting NIST Director since January 2025. https://www.nist.gov/director/leadership

⁸ Manufacturing Dive, "NIST director nominee advances despite senators' MEP concerns" (March 2026) — Arvind Raman advanced by the Senate Commerce Committee on March 12, 2026 by a 16-12 vote, largely along party lines. Floor vote not scheduled. https://www.manufacturingdive.com/news/nist-director-nominee-arvind-raman-senate-confirmation/815356/

⁹ AIP FYI, "Senators Grill NIST Director Nominee" (March 2026) — Raman's commitment before Cruz to "reorient NIST to its apolitical mission and ensure that it does not serve as an engine for divisive left-wing ideology, even under the guise of 'safety.'" Cruz's statement on the AI Risk Management Framework as "left-wing social engineering." https://www.aip.org/fyi/senators-grill-nist-director-nominee

¹⁰ Nextgov/FCW, "Plankey withdraws nomination to lead CISA" (April 22, 2026) — "After thirteen months since my initial nomination, it has become clear the Senate will not confirm me." Holds from Scott (R-Fla., Coast Guard contracts), Wyden (D-Ore., telecom report). Re-nomination January 2026 after return to President under Senate Rule XXXI. No successor announced. https://www.nextgov.com/people/2026/04/plankey-withdraws-nomination-lead-cisa/413045/ https://www.govinfosecurity.com/no-vote-no-leader-cisa-faces-2026-without-director-a-30208 https://cyberscoop.com/sean-plankey-re-nominated-to-lead-cisa/

¹¹ Federal News Network / TechCrunch (February 27, 2026) — Gottumukkala removed after uploading sensitive documents to public ChatGPT and failing polygraph. Nick Andersen (acting EAD cybersecurity) named third acting director. CISA workforce cut by one-third. Three acting directors in 14 months (Bean, Gottumukkala, Andersen). https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-leadership-shakeup-comes-amid-pressure-moment-for-cyber-agency/ https://techcrunch.com/2026/02/27/cisa-replaces-acting-director-gottumukkala-after-a-bumbling-year-on-the-job/

¹² Nextgov/FCW, "NIST fires over 70 probationary employees" (March 4, 2025) — 73 layoffs, 42 hired under the CHIPS and Science Act. https://www.nextgov.com/people/2025/03/nist-fires-over-70-probationary-employees/403459/

¹³ Bloomberg / Business Standard, "Trump team plans firings of probationary workers at NIST" (February 20, 2025) — Initial plan of 500 layoffs out of 3,400 employees. https://www.business-standard.com/world-news/trump-team-plans-firings-of-probationary-workers-at-nist-key-agency-for-ai-125022000118_1.html

¹⁴ WIRED / Office of Representative Jake Auchincloss — DOGE staff spotted in Building 225 (Information Technology Laboratory) before announcements. Three recently promoted lab directors targeted. https://auchincloss.house.gov/media/in-the-news/the-national-institute-of-standards-and-technology-braces-for-mass-firings

¹⁵ Letter of April 2, 2025 from 22 representatives (McClain Delaney, Lofgren, Neguse and 19 colleagues) to Secretary Lutnick — Impact by campus, office, and project. Questions on recruitment, international standards, competition with China on AI and quantum. https://mcclaindelaney.house.gov/sites/evo-subsites/mcclaindelaney.house.gov/files/evo-media-document/amd-letter-to-sec-lutnik-re-nist-probationary-and-rif-plans-v.f.pdf

¹⁶ Cybersecurity Dive, "NIST loses key cyber experts in standards and research" (May 2025) — Departures of Scholl, Hall, Ferraiolo, Cooper. Reese quotes on post-quantum and loss of "critical institutional knowledge." https://www.cybersecuritydive.com/news/nist-cyber-retirements-quantum-ai-research-standards/747270/

¹⁷ CyberScoop, "In Paris, U.S. signals shift from AI safety to deregulation" (February 2025) — Vance: "I'm not here this morning to talk about AI safety." US and UK refuse to sign communiqué. Technical.ly — Departures of Kelly, Tabassi, Schwartz. AISI staff not invited to Paris summit. https://cyberscoop.com/ai-safety-jd-vance-paris-ai-summit-deregulation/ https://technical.ly/software-development/nist-layoffs-ai-safety-chips-act-trump/

¹⁸ FDD, "Cutting NIST's Workforce Threatens American Tech Innovation and Leadership" (April 2025) — Lutnick on renaming AISI → CAISI. Analysis of impacts on American competitiveness. https://www.fdd.org/analysis/2025/04/16/cutting-nists-workforce-threatens-american-tech-innovation-and-leadership/

¹⁹ FY2026 Appropriations — Executive proposal: $839M (−43%). Congressional appropriations: $1.847B (+21% vs FY24/25). Detailed proposed cuts by program. https://www.commerce.senate.gov/2026/1/ves-existential-threat-from-trump-budget-as-senate-rejects-gutting-nasa-nsf-nist https://aas.org/posts/news/2025/07/fy2026-presidents-budget-request-doe-office-science-and-nist-details

²⁰ Cybersecurity Dive, "NIST is rethinking its role in analyzing software vulnerabilities" (January 23, 2026) — Jon Boyens, acting chief CSD: "I don't think it serves our mission or our stakeholders to try to go back and enrich every CVE." Skepticism toward CISA Vulnrichment. Concern about "balkanization" via GCVE. https://www.cybersecuritydive.com/news/nist-rethinking-vulnerability-analysis/738004/

²¹ NIST NVD Update (March 19, 2025) — CVE submissions +32% in 2024. Growing backlog. CVEs prior to 01/01/2018 marked "Deferred" (April 2025). https://csrc.nist.gov/news/2025

²² NIST, "NIST Updates NVD Operations to Address Record CVE Growth" (April 15, 2026) — Official announcement of universal enrichment abandonment. Three prioritization criteria: CISA KEV, federal software, EO 14028. +263% CVE submissions 2020-2025, +33% Q1 2026. 42,000 CVEs enriched in 2025 (+45%), insufficient. Pre-March 2026 backlog moved to "Not Scheduled." NIST will no longer provide independent severity score when CNA has already assigned one. https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth

²³ Infosecurity Magazine, "NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities" (April 25, 2026) — Harold Booth (NIST computer scientist) at VulnCon26, Scottsdale: "Our ability to keep up is just not there." FIRST forecasts approximately 59,000 new CVEs in 2026, first time the 50,000 threshold will be crossed. https://www.infosecurity-magazine.com/news/nvd-enrichment-premarch-2026/

²⁴ Resilient Cyber, "The NVD Just Threw In The Towel — Now What?" (April 2026) — Gibson (VulnCon26 organizer): "I would be surprised if Anthropic and OpenAI were not CVE Numbering Authorities by the end of 2026." Analysis of the transition from universal enrichment to a privatized model. https://www.resilientcyber.io/p/the-nvd-just-threw-in-the-towel-now https://www.cybersecuritydive.com/news/nist-cve-vulnerability-analysis-nvd-review/810300/

²⁵ Swarmnetics, "MITRE CVE Program Safe Until Early 2026" (April 2025) — CVE program: $57.8M/year in federal funding. https://swarmnetics.com/blog/mitre-cve-program-safe-until-early-2026-but-what-happens-then/

²⁶ BleepingComputer / SecurityWeek — CISA exercises 11-month contract option on April 16, 2025. Extension through March 2026. Barsoum letter: "deterioration of national vulnerability databases and advisories." https://www.securityweek.com/mitre-signals-potential-cve-program-deterioration-as-us-gov-funding-expires/

²⁷ CyberScoop, "CVE Foundation eyes year-end launch" (May 2025) — MITRE: 440+ employees laid off, $28M in contracts canceled. https://cyberscoop.com/cve-program-funding-crisis-cve-foundation-mitre/

²⁸ CVE Foundation — Non-profit created by CVE Board members to decouple the CVE program from single-source government funding. https://www.computerweekly.com/news/366622835/CVE-Foundation-pledges-continuity-after-MITRE-funding-cut

²⁹ CSO Online, "CVE program funding secured, easing fears of repeat crisis" (March 9, 2026) — CVE Board meeting of January 21, 2026: "no funding cliff in March," operations extended "well beyond that timeframe." Nick Andersen (acting director CISA): "Under CISA's leadership and sponsorship, the CVE program is fully funded." Pete Allor (CVE Foundation co-founder): "mystery contract with a mystery number." One board member repeatedly requested access to the contract at successive meetings; MITRE declined, citing legal protections. Separate FOIA request unanswered. https://www.csoonline.com/article/4142600/cve-program-funding-secured-easing-fears-of-repeat-crisis.html

³⁰ Boulder Reporting Lab — Icarus Quantum seeking alternative nanofabrication facilities after NIST restrictions. https://boulderreportinglab.org/2026/02/12/at-boulders-nist-three-year-cap-on-international-researchers-sparks-fears-of-a-scientific-exodus/

³¹ Boulder Reporting Lab, "NIST appears to walk back limits on international researchers" (March 10, 2026) — Burkhardt email to NIST staff on March 6, 2026: "There is no explicit ban on foreign national research associates from any country, nor any mandated time limit or cap." Same email: "NIST is currently reviewing its research security protocols to ensure alignment with evolving laws and guidance as well as consistency with other agencies." Sen. Hickenlooper (Colorado) questioned Raman about the reports at the March 5 confirmation hearing. https://boulderreportinglab.org/2026/03/10/nist-appears-to-walk-back-limits-on-international-researchers/

³² Science (AAAS), "U.S. science agency moves to restrict foreign scientists from its labs" (February 2026, updated March 12) — Foreign researchers barred from lab access on evenings and weekends without escort by a federal employee. These restrictions remained after the formal cap policy was withdrawn. https://www.science.org/content/article/nist-moves-restrict-foreign-scientists-its-labs

³³ See in this series: "The vulnerability of vulnerability management" (NVD), "European dependency on American standards" (85% data dependency), "The last channel" (CISA KEV).

³⁴ ISC2, CISSP Certification Exam Outline — Domain 1 (Security and Risk Management, 16% of exam): "Security control frameworks (e.g., ISO, NIST, COBIT, SABSA, PCI, FedRAMP)" and "Risk frameworks (e.g., ISO, NIST, COBIT, SABSA, PCI)" as explicit exam topics. NIST SP 800-53 listed in recommended preparation references. https://www.isc2.org/certifications/cissp/cissp-certification-exam-outline

³⁵ ENISA, European Vulnerability Database (EUVD) — Launched in beta May 2025. Own identifiers (EUVD-2025-XXXXX). Three views: critical vulnerabilities, actively exploited, CSIRT-coordinated. https://euvd.enisa.europa.eu/

³⁶ Cybernews / Infosecurity Magazine — GCVE launched January 2026 by CIRCL (Luxembourg). 25+ public sources. Decentralized model. European infrastructure. https://www.infosecurity-magazine.com/news/global-cybersecurity-vulnerability/

³⁷ VulnCheck, "Does ENISA EUVD live up to all the hype?" (May 2025) — 50,000+ CVEs missing from main API. Detailed coverage comparison EUVD / NVD / CVE.org. https://www.vulncheck.com/blog/enisa-euvd

³⁸ See in this series: "Ghost in the Binary" (CRA blind spots on compiler-introduced vulnerabilities and dependency on CVE/NVD infrastructure for mandatory reporting).