CISA Directive Aims to Improve Vulnerability Patching
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) ordering federal agencies to prioritize vulnerability patching based on four criteria. The directive, BOD 26-04, aims to help agencies patch smarter and reduce the window for exploitation.
CISA acting director Nick Andersen previewed the directive, stating that it provides clear definitions, timelines, and criteria to enhance transparency, predictability, and resource planning for vulnerability remediation. The directive sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets.
Four Criteria for Prioritization
The four criteria for prioritization are: vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system, or relate to evidence of active, real-world exploitation. If a vulnerability meets all four criteria, agencies need to fix it within three days and carry out a forensic triage to assess whether their systems were compromised.
Agencies must immediately update their vulnerability management policies, including establishing a process for ongoing remediation of known, exploited vulnerabilities (KEVs) on CISA's must-patch list. Within 60 days, agencies need to update their processes for remediating common vulnerabilities, and within 180 days, agencies must meet the order's remediation timelines.
Impact of Artificial Intelligence on Vulnerability Management
The directive is motivated in part by the impact of artificial intelligence on vulnerability management. CISA officials noted that artificial intelligence is assisting both researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered.
According to Verizon's 2026 Data Breach Investigations Report, only 26% of vulnerabilities on CISA's Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025, a drop from the previous year's 38%. The median time for full resolution rose to 43 days.
Industry Reaction
Security researchers and experts have welcomed the directive, with some noting that it aligns with similar guidance from other countries. Patrick Garrity, a security researcher at VulnCheck, said that the directive joins similar guidance out of India and the United Kingdom, and that it's clear the momentum is growing and pushing in the right direction.
Tod Beardsley, vice president of security research at runZero and former KEV section chief at CISA, noted that the three-day deadlines may be frequent, but expressed doubts about the achievability of such a patch cadence across more than a hundred agencies.
CISA encourages the private sector to embrace the directive, and notes that defenders are already struggling to keep up with the pace of vulnerability discovery and exploitation. By patching smarter and focusing on the most urgent vulnerabilities, agencies and organizations can reduce the risk of exploitation and improve their overall cybersecurity posture.
- CISA's BOD 26-04 sets forth timelines for vulnerability patching based on four criteria.
- Agencies must update their vulnerability management policies and processes to meet the directive's requirements.
- The directive is motivated by the impact of artificial intelligence on vulnerability management.
- Security researchers and experts have welcomed the directive, but some have expressed doubts about its achievability.
Source: CyberScoop