CISA gives agencies new vulnerability remediation deadlines that take risk levels into account
CISA gives agencies new vulnerability remediation deadlines that take risk levels into account
Publish Date: 2026-06-10 11:43:00
Source Domain: www.cybersecuritydive.com
The Cybersecurity and Infrastructure Security Agency on Wednesday directed federal agencies to adopt a new risk-based approach to fixing vulnerabilities in their systems.
CISA’s binding operational directive (BOD) establishes new deadlines for vulnerability remediation based on four factors: whether affected systems are exposed to the internet, whether threat actors are exploiting the flaw, whether the exploit is automatable and whether exploitation gives attackers at least partial control of the affected system.
The new system reflects an increasingly complex and dangerous threat environment in which both internet-exposed devices and serious vulnerabilities are proliferating quickly — and in which AI is making it easier for hackers to automate attacks that use those vulnerabilities to breach devices.
Under the new prioritization scheme, which takes effect Dec. 7, agencies will have three days to address actively exploited, automatable vulnerabilities that grant hackers at least partial control over internet-facing systems. In cases where the vulnerability would grant hackers total control, agencies also have to perform a forensic triage of the affected assets to determine if they have been compromised. (CISA’s implementation guidance for the BOD describes how agencies should perform triages.)
The BOD establishes looser deadlines for other situations. Agencies will have two weeks to address actively exploited vulnerabilities that would grant partial control over internet-facing systems but are not automatable. (In cases where exploitation is not automatable but would grant full control, agencies would still need to remediate within three days and perform a forensic triage.) There are also longer deadlines for vulnerabilities that hackers are not yet exploiting, as well as for vulnerabilities affecting systems that are not exposed to the internet.
A flowchart of the deadlines in the new…
