CISA Requires Federal Agencies to Patch Highest-Risk Vulnerabilities in as Little as 3 Days

CISA has issued a new federal directive that requires civilian agencies to fix the most dangerous vulnerabilities in as little as three calendar days. The rule changes how federal agencies prioritize security updates by focusing on real-world risk instead of treating all vulnerabilities with the same urgency.

The directive, called BOD 26-04: Prioritizing Security Updates Based on Risk, was released on June 10, 2026. It applies to Federal Civilian Executive Branch agencies and does not apply to national security systems or systems operated by the Intelligence Community.

The new model replaces flat patching deadlines with a risk-based matrix. A vulnerability can trigger a 3-day, 14-day, or 60-day remediation window, while the lowest-risk issues can wait until the next scheduled system upgrade.

CISA Replaces Older Federal Patching Rules

BOD 26-04 revokes and replaces BOD 19-02 and BOD 22-01. That is a major shift because BOD 22-01 focused heavily on CISA’s Known Exploited Vulnerabilities list, while the new directive uses several risk signals at the same time.

A Binding Operational Directive is a compulsory direction to federal executive branch departments and agencies for safeguarding federal information and information systems. CISA says the directive consolidates and clarifies federal vulnerability remediation requirements into a single framework.

The change gives agencies more flexibility for lower-risk flaws, but it also creates much faster deadlines for vulnerabilities that attackers can exploit at scale or use to take full control of systems.

Directive	Main focus	Status after BOD 26-04
BOD 19-02	Remediation of internet-accessible system vulnerabilities	Revoked and replaced
BOD 22-01	Known exploited vulnerabilities in CISA’s KEV catalog	Revoked and replaced
BOD 26-04	Risk-based remediation using exposure, exploitation, automation, and impact	Current directive

The 4 Factors That Decide the Deadline

Under the new rule, agencies must evaluate each vulnerability against four criteria. These criteria determine how quickly the vulnerability must be fixed and whether forensic review is required.

The first factor is public exposure. Agencies must determine whether the vulnerable asset is reachable from the internet. CISA’s Internet Exposure Reduction guidance helps agencies identify and reduce exposure across public-facing systems, remote access services, industrial systems, and other reachable assets.

The other three factors come from CISA’s vulnerability intelligence. Agencies must consider whether the vulnerability appears in the Known Exploited Vulnerabilities catalog, whether exploitation can be automated, and whether successful exploitation gives attackers total or partial control.

• Asset exposure: Is the vulnerable system publicly reachable?
• KEV status: Is the vulnerability known to be exploited in the wild?
• Exploit automation: Can attackers automate the exploitation process?
• Technical impact: Does exploitation provide total or partial control?

What Must Be Patched in 3 Days

The fastest deadline applies to the highest-risk vulnerabilities. A vulnerability that is in the KEV catalog and gives attackers total control must be remediated within 3 calendar days, and agencies must also conduct forensic triage to check whether the system has already been compromised.

Some other high-risk combinations also fall into a 3-day window without the forensic triage requirement. For example, a publicly exposed, automatable vulnerability that gives attackers total control can require a 3-day fix even if it has not yet appeared in the KEV catalog.

CISA’s implementation guidance explains how the four criteria map to remediation timelines and how agencies should align their processes with the new model.

Risk tier	Required action	Example scenario
3 days plus forensic triage	Patch or mitigate and check for compromise	Known exploited vulnerability with total technical impact
3 days	Patch or mitigate quickly	Publicly exposed, automatable flaw that grants total control
14 days	Accelerated remediation	Most KEV-listed flaws and other high-risk combinations
60 days	Standard risk-based remediation	Lower-risk combinations such as partial-control flaws on less exposed assets
Next system upgrade	Defer until planned upgrade or rebuild	No public exposure, no KEV status, no automation, and only partial impact

Agencies Must Use CVE and Vulnrichment Data

BOD 26-04 moves federal vulnerability management closer to a CVE-centered workflow. Agencies must align remediation decisions with the CVE database and use CISA-provided data to support the new prioritization model.

CISA’s Vulnrichment program adds decision points to public CVE records, including exploitation status, automatable status, and technical impact. This helps agencies move beyond CVSS scores and judge which vulnerabilities require urgent attention.

The model also depends on accurate asset exposure data. If an agency cannot tell which systems are internet-facing, it cannot correctly apply the new remediation deadlines. That makes continuous asset discovery and exposure tracking a core part of compliance.

The Rollout Happens in 3 Phases

CISA structured the directive in phases so agencies can update policies, reporting, and remediation workflows before the full timeline requirements take effect.

Phase I starts immediately. Agencies must update vulnerability management policies, continue monitoring the KEV catalog, automate reporting through the Continuous Diagnostics and Mitigation Dashboard where possible, and keep using CISA’s cyber hygiene services.

Within 60 days, agencies must update vulnerability management processes to support the full CVE database and KEV catalog. Within 180 days, they must fully meet the remediation timelines from Table 1 and maintain asset metadata needed to determine public exposure.

Phase	Deadline	Main requirement
Phase I	Immediate	Update policies, monitor KEV, and support CDM reporting
Phase II	Within 60 days	Align vulnerability management processes with CVE and KEV data
Phase III	Within 180 days	Meet the new remediation timelines and continuously tag exposed assets

AI Threats Helped Drive the Faster Timeline

CISA cited the changing threat landscape as a reason for the directive. Attackers can already exploit known vulnerabilities quickly, and AI tools may shrink the time between public disclosure, exploit development, and mass exploitation.

WIRED reported that CISA officials framed the directive as a way to help agencies prioritize the most dangerous issues first. The WIRED report also noted that CISA wanted to balance urgency with what agencies can realistically do.

That balance explains why the fastest deadline is 3 days rather than 24 hours. CISA wants agencies to move faster on the riskiest issues, but the model also lets them defer vulnerabilities that do not meet high-risk criteria.

What Changes for Private Companies

BOD 26-04 is mandatory for federal civilian agencies, not private companies. However, private organizations should still watch the framework because CISA’s KEV catalog has already become a widely used prioritization signal outside government.

The new model gives security teams a practical way to answer a common patching question: which vulnerabilities need immediate action, and which can wait? The answer now depends on exploit evidence, exposure, automation, and impact, not only on a CVSS score.

The KEV catalog remains important, but it is no longer the only signal in the federal model. Public exposure can make a flaw more urgent, while removing a system from the internet can change the applicable remediation window.

Why Exposure Data Now Matters More

The directive makes internet exposure a first-class risk factor. A vulnerability on an internal test system may receive a different timeline from the same vulnerability on a public VPN gateway, web server, or management interface.

That means agencies must maintain accurate records of which assets are reachable from outside their networks. CISA’s exposure reduction guidance tells organizations to identify publicly accessible assets and mitigate unnecessary exposure before attackers find it.

The practical impact is clear: agencies that know their asset exposure can prioritize better, while agencies with poor asset visibility may struggle to meet the new deadlines.

What Agencies Should Do Now

Agencies should first update vulnerability management policies to reflect the new risk model. They should also make sure security teams can combine scanner data, asset inventories, KEV status, Vulnrichment data, and exposure information in a single workflow.

The Vulnrichment repository shows how CISA adds SSVC decision points to CVE records, while the BOD 26-04 implementation guidance gives agencies the operational steps needed to comply with the directive.

Security leaders should also prepare forensic triage workflows for the highest-risk tier. For those vulnerabilities, patching alone does not satisfy the intent of the directive because agencies also need to determine whether attackers may have already used the flaw.

• Update vulnerability management policies immediately.
• Map every vulnerability to a CVE where possible.
• Track whether each vulnerable asset is publicly exposed.
• Ingest KEV status, exploit automation, and technical impact data.
• Prepare 3-day response workflows for the highest-risk vulnerabilities.
• Create forensic triage procedures for KEV vulnerabilities with total technical impact.
• Automate CDM reporting where possible.
• Review deferred vulnerabilities during planned system upgrades.

Industry guidance has already pointed to the directive as a major shift away from flat patching deadlines. Tenable’s analysis says BOD 26-04 creates a four-variable model that can focus resources on the vulnerabilities that matter most, while giving agencies operational relief for lower-risk issues.

The Tenable FAQ also highlights the operational challenge: agencies must continuously answer the four risk questions for every vulnerability across their environments. The WIRED coverage adds another reason for urgency, as AI may help attackers move faster from discovery to exploitation.

For federal agencies, the message is direct. The most exposed, exploited, automatable, and damaging vulnerabilities now move to the front of the line, and the most dangerous ones can no longer wait weeks for remediation.

FAQ