CISA orders federal agencies to triage and fix vulnerabilities based on four risk criteria, with the most dangerous requiring remediation within three days.
What happened
CISA issued Binding Operational Directive (BOD) 26-04 on Wednesday, requiring federal agencies to prioritize vulnerability patching based on four criteria, which include whether the vulnerability affects a publicly exposed asset, allows an attacker to fully automate exploitation, enables full system takeover, or shows evidence of active real-world exploitation. The more criteria a vulnerability meets, the faster agencies must patch it. A vulnerability meeting all four criteria requires remediation within three days and a forensic triage to assess whether systems were already compromised. Agencies must immediately update their vulnerability management policies, revise common vulnerability remediation processes within 60 days, and meet all directive timelines within 180 days. While BODs only bind federal civilian agencies, CISA encourages the private sector to adopt the same approach.
Going deeper
BOD 26-04 ties remediation timelines to the number of risk criteria a vulnerability meets:
- All four criteria met - patch within 3 days and conduct forensic triage to check for compromise
- Fewer criteria met - longer remediation windows apply, allowing agencies to defer lower-risk issues to regular patch cycles
- Immediate requirement - agencies must establish an ongoing process for remediating Known Exploited Vulnerabilities (KEVs) on CISA's existing "must-patch" list
- 60-day requirement - update processes for remediating common vulnerabilities
- 180-day requirement - fully comply with all directive remediation timelines
CISA also cited AI as a driver behind the directive, noting that AI now accelerates the pace at which both researchers and adversaries discover and weaponize vulnerabilities. The directive aligns with an executive order on AI signed by President Trump the week prior.
What was said
In a blog post, CISA's Chris Butera and Jonathan Spring warned that defenders are already struggling, "Artificial intelligence is assisting both researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered. Per Verizon's 2026 Data Breach Investigations Report, only 26% of vulnerabilities on CISA's Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025, a drop from the previous year's 38%. The median time for full resolution rose to 43 days."
Speaking to reporters, Butera said CISA socialized the new timelines with agencies ahead of the directive's release, "We really believe we should be able to free up some time to patch the most urgent vulnerabilities faster, while allowing for more regular patch cycles for some of the lower risk vulnerabilities."
By the numbers
Per Verizon's 2026 Data Breach Investigations Report, cited by CISA:
- Only 26% of vulnerabilities on CISA's KEV Catalog were fully remediated by organizations in 2025, down from 38% the previous year.
- The median time to fully resolve a known exploited vulnerability rose to 43 days.
- At one large federal agency analyzed by CISA, just 1% of vulnerabilities fell into the three-day remediation window.
- 60% of that agency's vulnerabilities could be deferred to the next system upgrade cycle.
In the know
CISA's Known Exploited Vulnerabilities (KEV) Catalog is a list of software vulnerabilities that have been actively exploited in the wild. CISA maintains it as a prioritization tool for federal agencies and recommends the private sector use it as well. A Binding Operational Directive (BOD) is a compulsory directive issued to federal civilian executive branch agencies, it does not legally bind the private sector, but CISA regularly encourages voluntary adoption. "Forensic triage," as referenced in BOD 26-04, refers to the process of examining compromised or potentially compromised systems to determine whether an attacker gained access before a patch was applied.
Why it matters
The remediation rate for known exploited vulnerabilities dropped from 38% to 26% in a year, meaning nearly three-quarters of vulnerabilities that CISA already flagged as actively exploited went unpatched. That statistic shows the problem this directive is trying to solve. Attackers now move faster than traditional patch cycles allow. By forcing agencies to categorize vulnerabilities by actual exploitability, CISA is pushing a model where limited patching resources get concentrated on the threats most likely to cause real harm. For the private sector, the same AI-accelerated threat environment applies, and the KEV Catalog is publicly available.
The bottom line
BOD 26-04 pushes federal agencies toward a risk-tiered model that concentrates effort where it matters most. Organizations of any size can start by reviewing CISA's KEV Catalog and assessing which of their exposed assets carry actively exploited vulnerabilities.
FAQs
Does BOD 26-04 apply to private companies?
No, the directive only legally binds federal civilian agencies, though CISA encourages private organizations to adopt the same risk-based approach voluntarily.
What is the KEV Catalog?
CISA's Known Exploited Vulnerabilities Catalog is a publicly available list of software vulnerabilities confirmed to have been actively exploited in the wild.
How does AI change the threat landscape for vulnerability management?
AI allows both attackers and researchers to discover and weaponize software flaws faster than traditional patch cycles were designed to handle.
Mara Ellis : June 2, 2026
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
