CISA directive revamps how agencies prioritize vulnerable systems
CISA directive revamps how agencies prioritize vulnerable systems
Publish Date: 2026-06-10 14:28:00
Source Domain: www.nextgov.com
The Cybersecurity and Infrastructure Security Agency released a binding directive Wednesday requiring federal agencies to rethink how they prioritize vulnerability fixes across government networks.
The directive sets remediation deadlines based on several factors, including whether a flaw is publicly exposed, already known to be exploited, automatable by attackers or capable of giving hackers control of an affected system.
It establishes new timelines to patch security flaws, from three days for the highest-risk vulnerabilities to 60 days for lower-priority items. Some vulnerabilities that are not publicly exposed, not known to be exploited and not automatable by adversaries can be deferred until the affected system receives a scheduled major upgrade.
The policy marks a significant shift in federal cyber management by pushing agencies to focus remediation resources on flaws that could be the most impactful if leveraged by hackers, rather than treating all vulnerabilities as equally urgent.
The move is also part of CISA’s response “to the current threat landscape where AI software services can assist threat actors to find and exploit vulnerabilities,” the agency says.
“CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change,” agency acting director Nick Andersen said in a statement. “While this directive is a mandate for federal agencies, CISA strongly encourages all partners to adopt similar actions in their vulnerability management policy.”
The directive is an acknowledgment that agencies cannot protect every system equally through patch mandates and must instead focus their often limited resources on the vulnerabilities and networks whose compromise could cause the greatest damage. Federal agencies are a constant target for hackers because of the sensitive data often stored on their networks.
In an initial analysis at one large civilian agency, CISA found…
