New Directive Overhauls Federal Patching
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-04, titled “Prioritizing Security Updates Based on Risk.” Released on June 10, 2026, this directive compels all Federal Civilian Executive Branch (FCEB) agencies to remediate the most dangerous known exploited vulnerabilities within just three calendar days. It represents the most aggressive federal patch timeline ever mandated. BOD 26-04 replaces and consolidates two earlier directives, BOD 19-02 and BOD 22-01, into a single risk-tiered framework. It applies to all FCEB systems but excludes national security systems and those operated by the Intelligence Community.
Risk Based Remediation Tiers
The new directive shifts federal agencies from blanket patching toward risk based vulnerability management. Each vulnerability is evaluated across four criteria: asset exposure to the internet, presence in CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploit automation capability, and technical impact on system control. Vulnerabilities meeting all four criteria must be patched within three days and require forensic triage to check for prior compromise. Those meeting fewer criteria have timelines of 14 or 60 calendar days. Vulnerabilities not publicly exposed, not in the KEV catalog, and not automatable are deferred. CISA provides KEV status, exploit automation, and technical impact data through its Vulnrichment Program, while agencies self-assess public exposure using CISA’s Internet Exposure Reduction Guidance.
Source: Cyber Security News
