CISA directive orders agencies to prioritize vulnerability patching in a new way

Staff Editor 2026-06-10
CISA directive orders agencies to prioritize vulnerability patching in a new way

CISA directive orders agencies to prioritize vulnerability patching in a new way

https://cyberscoop.com/cisa-vulnerability-remediation-directive-bod-26-04/

Publish Date: 2026-06-10 12:11:00

Source Domain: cyberscoop.com

The Cybersecurity and Infrastructure Security Agency on Wednesday ordered federal agencies to prioritize vulnerabilities based on four criteria, as part of push to “patch smarter, not harder.”

Federal agencies should emphasize patches for vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system or relate to evidence of active, real-world exploitation, CISA declared.

CISA acting director Nick Andersen previewed the binding operational directive (BOD) Tuesday, framing it as a rethinking of vulnerability management more broadly.

“This Directive provides clear definitions, timelines and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation,” Andersen said in a statement. “CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change.”

BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, for example, agencies need to fix it within three days and carry out a “forensic triage” to assess whether their systems were compromised. 

More generally, agencies must immediately update their vulnerability management policies, including establishing a process for ongoing remediation of known, exploited vulnerabilities (KEVs) on CISA’s “must-patch” list. Within 60 days, agencies need to update their processes for remediating common vulnerabilities, and within 180 days, agencies must meet the order’s remediation timelines.

The directive is motivated in part by how artificial intelligence is shifting the window from vulnerability discovery to weaponization, and CISA said it reflects priorities in an executive order on AI that President Donald Trump signed last…

Source

More Stories

IVT EXPO VIDEO: New display cybersecurity, hardware, and innovation from DSE

IVT EXPO VIDEO: New display cybersecurity, hardware, and innovation from DSE

Staff Editor 2026-06-10
Our drinking water systems are more connected than ever, and more exposed to risks

Our drinking water systems are more connected than ever, and more exposed to risks

Staff Editor 2026-06-10
Europe moves to secure sovereign cybersecurity and chips

Europe moves to secure sovereign cybersecurity and chips

Staff Editor 2026-06-10

Terms and Conditions - Privacy Policy