{"id":270572,"date":"2026-06-11T11:00:00","date_gmt":"2026-06-11T15:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/11\/cisa-orders-agencies-to-patch-by-risk-not-severity\/"},"modified":"2026-06-11T16:15:11","modified_gmt":"2026-06-11T20:15:11","slug":"cisa-orders-agencies-to-patch-by-risk-not-severity","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/11\/cisa-orders-agencies-to-patch-by-risk-not-severity\/","title":{"rendered":"CISA Orders Agencies to Patch by Risk, Not Severity"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/cisa-orders-agencies-to-patch-by\/\">CISA Orders Agencies to Patch by Risk, Not Severity<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/cisa-orders-agencies-to-patch-by\/\">https:\/\/www.infosecurity-magazine.com\/news\/cisa-orders-agencies-to-patch-by\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-11 11:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>US federal agencies have been instructed to overhaul their vulnerability management practices, shifting away from rigid, deadline-driven patching toward a risk-based approach that prioritizes the most actively exploited threats, under new guidance from the Cybersecurity and Infrastructure Security Agency (CISA).<\/p>\n<p>Binding Operational Directive 26-04, issued on June 10, ties each deadline to risk: three days, plus a forensic check for signs of intrusion, for the most dangerous flaws, with longer windows for less severe combinations and deferral for genuinely low-risk bugs, in some cases until a system&#8217;s next major upgrade. It consolidates two previous mandates, BOD 19-02 and the KEV-focused BOD 22-01.<\/p>\n<p>CISA cast it as a response to a threat picture in which AI helps attackers find and weaponize bugs faster, shrinking defenders&#8217; window once a patch ships, as the volume of disclosed flaws outpaces blanket patching.<\/p>\n<p>The directive also pairs its tightest deadlines with a forensic step.\u00a0When an agency patches the most serious flaws, it must check whether attackers have already exploited them, since a fix rarely evicts an intruder.<\/p>\n<p>Read more on CISA directives: CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws<\/p>\n<h2><strong>Risk Replaces the Severity Score<\/strong><\/h2>\n<p>For years, CVSS severity scores drove prioritization, BOD 26-04 drops that.\u00a0Revoking the old directive means agencies are no longer required to use CVSS to prioritize, since, as CISA noted, a severity label alone doesn&#8217;t dictate what to fix first.<\/p>\n<p>The directive instead weighs four factors:<\/p>\n<ul>\n<li>\n<p>Asset exposure: whether the system is publicly reachable<\/p>\n<\/li>\n<li>\n<p>KEV status: whether the flaw is on CISA&#8217;s Known Exploited Vulnerabilities (KEV) catalog<\/p>\n<\/li>\n<li>\n<p>Exploit automation: whether an adversary can automate every step needed to exploit it<\/p>\n<\/li>\n<li>\n<p>Technical impact: whether a successful attack grants partial or total control<\/p>\n<\/li>\n<\/ul>\n<p>Acting CISA director, Nick Andersen, said the directive lets agencies &#8220;focus their efforts on&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/cisa-orders-agencies-to-patch-by\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA Orders Agencies to Patch by Risk, Not Severity https:\/\/www.infosecurity-magazine.com\/news\/cisa-orders-agencies-to-patch-by\/ Publish Date: 2026-06-11 11:00:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":270574,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/749b61ff-844b-4351-802e-66f7862b286a.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,31,27],"class_list":["post-270572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/270572"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=270572"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/270572\/revisions"}],"predecessor-version":[{"id":270576,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/270572\/revisions\/270576"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/270574"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=270572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=270572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=270572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}