CISA tells govt agencies to patch critical exploited flaws in 3 days

Staff Editor 2026-06-11
CISA tells govt agencies to patch critical exploited flaws in 3 days

CISA tells govt agencies to patch critical exploited flaws in 3 days

https://www.bleepingcomputer.com/news/security/cisa-tells-govt-agencies-to-patch-critical-exploited-flaws-in-3-days/

Publish Date: 2026-06-11 08:46:00

Source Domain: www.bleepingcomputer.com

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive, 26-04, that prioritizes security updates for Federal Civilian Executive Branch (FCEB) agencies.

The directive aims to reduce the threat of cyberattacks targeting the public sector by requiring agencies to remediate high-risk vulnerabilities within accelerated timeframes, in some cases as little as three days.

CISA says that BOD 20-04 “supersedes and revokes” the older BOD 19-02 and BOD 22-01, introduced in 2019 and 2021, respectively.

image

The agency says that prioritizing patching is based on four key considerations:

  1. Whether the asset is publicly exposed online
  2. Presence of the vulnerability in CISA’s Known Exploited Vulnerabilities (KEV) catalog
  3. Whether exploitation can be automated for large-scale attacks
  4. Whether exploitation gives attackers partial or total control of a system

Depending on these factors, agencies get deadlines for addressing security vulnerabilities, the shortest period being three days.

For less urgent situations where automated exploitation is not possible or when it only provides partial control, the timeframe is set to two weeks.

Remediation timelinesVulnerability remediation timelines
Source: CISA

Scope and implementation

The directive applies specifically to U.S. Federal Civilian Executive Branch (FCEB) agencies and the information systems they operate.

This includes government agencies and departments, but does not apply to certain military systems operated by the U.S. Department of War, private companies, Intelligence Community systems, and contractors.

Like previous directives, the framework is expected to influence the broader cybersecurity industry and provide a broader patching priority signal.

The directive applies to all on-premise federal systems, third-party hosted systems, and FedRAMP/non-FedRAMP cloud environments.

Right now, agencies bound to the BOD 26-04 directive should update their…

Source

More Stories

FIFA World Cup expected to face extensive criminal, hacktivist cyber threats

FIFA World Cup expected to face extensive criminal, hacktivist cyber threats

Staff Editor 2026-06-11
Enterprises report increasing budgets for security training in AI and other critical topics

Enterprises report increasing budgets for security training in AI and other critical topics

Staff Editor 2026-06-11
Comcast Business Makes Cybersecurity Simple for Small Businesses with Nationwide Launch of SecurityEdge™ Preferred

Comcast Business Makes Cybersecurity Simple for Small Businesses with Nationwide Launch of SecurityEdge™ Preferred

Staff Editor 2026-06-11

Terms and Conditions - Privacy Policy