CISA Orders Agencies to Patch by Risk, Not Severity

Staff Editor 2026-06-11
CISA Orders Agencies to Patch by Risk, Not Severity

CISA Orders Agencies to Patch by Risk, Not Severity

https://www.infosecurity-magazine.com/news/cisa-orders-agencies-to-patch-by/

Publish Date: 2026-06-11 11:00:00

Source Domain: www.infosecurity-magazine.com

US federal agencies have been instructed to overhaul their vulnerability management practices, shifting away from rigid, deadline-driven patching toward a risk-based approach that prioritizes the most actively exploited threats, under new guidance from the Cybersecurity and Infrastructure Security Agency (CISA).

Binding Operational Directive 26-04, issued on June 10, ties each deadline to risk: three days, plus a forensic check for signs of intrusion, for the most dangerous flaws, with longer windows for less severe combinations and deferral for genuinely low-risk bugs, in some cases until a system’s next major upgrade. It consolidates two previous mandates, BOD 19-02 and the KEV-focused BOD 22-01.

CISA cast it as a response to a threat picture in which AI helps attackers find and weaponize bugs faster, shrinking defenders’ window once a patch ships, as the volume of disclosed flaws outpaces blanket patching.

The directive also pairs its tightest deadlines with a forensic step. When an agency patches the most serious flaws, it must check whether attackers have already exploited them, since a fix rarely evicts an intruder.

Read more on CISA directives: CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws

Risk Replaces the Severity Score

For years, CVSS severity scores drove prioritization, BOD 26-04 drops that. Revoking the old directive means agencies are no longer required to use CVSS to prioritize, since, as CISA noted, a severity label alone doesn’t dictate what to fix first.

The directive instead weighs four factors:

  • Asset exposure: whether the system is publicly reachable

  • KEV status: whether the flaw is on CISA’s Known Exploited Vulnerabilities (KEV) catalog

  • Exploit automation: whether an adversary can automate every step needed to exploit it

  • Technical impact: whether a successful attack grants partial or total control

Acting CISA director, Nick Andersen, said the directive lets agencies “focus their efforts on…

Source

More Stories

Washington Pulled the Plug on Anthropic ‘s Fable 5 and Mythos 5 models. The Rest of the World Is Watching.

Washington Pulled the Plug on Anthropic ‘s Fable 5 and Mythos 5 models. The Rest of the World Is Watching.

Staff Editor 2026-06-13
Record Coupang fine, attack on Claude Code users, and other cybersecurity news

Record Coupang fine, attack on Claude Code users, and other cybersecurity news

Staff Editor 2026-06-13
China issues guidelines on financial services data amid broader cybersecurity push

China issues guidelines on financial services data amid broader cybersecurity push

Staff Editor 2026-06-13

Terms and Conditions - Privacy Policy