- CISA has ordered federal civilian agencies to remediate vulnerabilities on risk-based timelines
- The most dangerous cases — exposed, exploited, automatable flaws granting full control — must be fixed within three days
- The agencies have 180 days to meet the new remediation deadlines
The Cybersecurity and Infrastructure Security Agency on Wednesday issued Binding Operational Directive 26-04, requiring federal civilian agencies to rethink their vulnerability management policies and remediate security flaws on timelines determined by risk rather than treating all vulnerabilities equally.
CISA's risk-based pivot is just one piece of a broader shift underway at the Department of Homeland Security, where increased funding for FY2026 is fueling new investments in AI, cyber defense and operational capabilities. Register now for the Potomac Officers Club's 2026 Homeland Security Summit on Nov. 12 to hear directly from DHS leadership on how industry can support these renewed priorities.
Under the directive, titled Prioritizing Security Updates Based on Risk, the urgency of a fix is set by four criteria: whether the vulnerable asset is publicly exposed; whether the flaw appears in CISA's Known Exploited Vulnerabilities, or KEV, catalog; whether an adversary can fully automate exploitation; and how much control an attacker would gain after a successful breach.
The new mandate supersedes and revokes two earlier directives — BOD 19-02 on remediating internet-accessible systems and BOD 22-01, which established the KEV catalog in 2021 — consolidating federal patching requirements into a single risk-based framework. Agencies are directed to concentrate resources on the most dangerous flaws while deferring action on low-risk ones, in some cases, until a system's next scheduled major upgrade.
“This Directive provides clear definitions, timelines, and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation,” said Acting CISA Director Nick Andersen.
While the order binds only federal civilian agencies, Andersen urged all organizations to adopt comparable practices in their own vulnerability management policies.
What Does the Directive Require Agencies to Do?
The directive rolls out in three phases. Effective immediately, agencies must update vulnerability management policies, monitor KEV catalog updates, automate vulnerability status reporting through the Continuous Diagnostics and Mitigation dashboard, and continue Cyber Hygiene scanning.
Within 60 days of the directive's implementation, agencies must revise their processes to support ongoing remediation based on both the Common Vulnerabilities and Exposures database and the KEV catalog. Within 180 days, they must meet the directive's remediation timelines and continuously identify and tag every agency-owned asset reachable from outside their networks, labeling each by organization, environment, exposure and asset type.
The most severe cases — publicly exposed assets with known, exploited, automatable vulnerabilities that grant total control — must be remediated within three days, accompanied by forensic triage to determine whether the system was compromised before the patch landed. CISA noted that applying a patch generally does not remove an attacker already inside a system, making compromise checks essential to managing risk.
CISA, for its part, is committed to keeping the KEV catalog current; supplying vulnerability metadata through its Vulnrichment Program; reassessing remediation timelines each fiscal year; and reporting annually to the homeland security secretary, the Office of Management and Budget director, and the national cyber director on government-wide implementation.
Why Is CISA Changing Its Vulnerability Management Approach?
The agency framed the directive as a response to a threat landscape in which artificial intelligence is shrinking the window between a patch's release and a vulnerability's exploitation. The order implements priorities in the executive order on advanced AI innovation and security and reflects agency and stakeholder feedback calling for KEV-based prioritization.
In May, Trump administration officials reportedly weighed cutting the remediation window for some KEV-listed flaws to as little as three days. Those discussions intensified after reports about Anthropic's Claude Mythos preview raised concerns that advanced AI systems could accelerate the discovery and exploitation of vulnerabilities. Rob Joyce, former National Security Agency cybersecurity director, observed that AI is now finding software flaws at an industrial scale.
Some experts have cautioned that compressed deadlines come with trade-offs for agencies contending with aging infrastructure and staffing shortages. Tod Beardsley, CISA's former vulnerability response lead, has noted that overly aggressive timelines can overwhelm IT teams and weaken prioritization.
