CybersecurityVulnerability Management

CISA Overhauls Vulnerability Patching with Risk-Based Approach

Analyst 207||Source: InfoSecMag
Federal agency office interior with desk, laptop, and scattered papers.

"focus their efforts on the areas of highest risk," Acting CISA director Nick Andersen said, urging agencies and private operators to change how they prioritize patches.

Binding Operational Directive 26-04: deadlines tied to risk, not score

On June 10, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04, instructing U.S. federal agencies to move away from rigid, deadline-driven patching based on severity labels and toward a risk-based remediation model. The directive consolidates two prior mandates — BOD 19-02 and the KEV-focused BOD 22-01 — and ties each remediation timeline to assessed risk. For the most dangerous flaws, agencies face a three-day deadline plus a required forensic check for signs of intrusion; less severe combinations receive longer windows, and genuinely low-risk bugs may be deferred, in some cases until a system's next major upgrade.

Four concrete risk factors replace CVSS

CISA revoked the previous requirement that agencies use Common Vulnerability Scoring System (CVSS) severity scores to prioritize fixes, saying a severity label alone doesn't dictate what to fix first. Instead, BOD 26-04 directs agencies to weigh four factors when deciding priorities:

  • Asset exposure — whether the system is publicly reachable;
  • KEV status — whether the flaw appears on CISA's Known Exploited Vulnerabilities (KEV) catalog;
  • Exploit automation — whether an adversary can automate every step needed to exploit it;
  • Technical impact — whether a successful attack grants partial or total control.

The shift is explicit: agencies are no longer required to use CVSS to prioritize and must instead assess risk along these operational dimensions.

Three-day patches paired with forensics to hunt intruders

BOD 26-04 pairs its tightest remediation windows with a forensic requirement. When agencies patch the most serious flaws, they must also check whether attackers have already exploited them, because, as CISA noted, applying a fix "rarely evicts an intruder." CISA framed the change as a response to a threat environment in which artificial intelligence helps attackers find and weaponize bugs faster, shrinking defenders' window once a patch ships and making blanket patching less effective as the volume of disclosed flaws outpaces blanket responses.

Practitioners welcome the aim — worry about execution

Practitioners broadly welcomed a risk-based approach while warning that execution will be the hard part. Sunil Gottumukkala, CEO of agentic remediation platform provider Averlon, said knowing a bug is exploited — which the KEV catalog already flags — is only half the job. "The other half is whether it matters in your environment," he said.

Denis Calderone, CTO of AI security firm Suzu Labs, agreed that "CVSS alone has never been a reliable way to decide which vulnerabilities to prioritize." He questioned who will ensure agencies run real risk assessments rather than simply ticking a compliance box, pointing to what he called deep cuts to CISA's budget and workforce. Calderone urged defenders to build their own stacks now, including KEV status, Exploit Prediction Scoring System (EPSS) probabilities and local context.

How federal agencies, private operators, and defenders are positioned

  • Federal agencies: They have 180 days — until around December 7 — to meet the directive's remediation timelines in every case, and must add forensic checks to the tightest deadlines; success depends on conducting genuine local-risk assessments rather than relying on a severity label.
  • Private-sector and infrastructure operators: CISA urged these groups to follow suit; the directive's logic — prioritize exploitable, exposed, automatable, high-impact flaws — is the same guidance CISA expects non-federal operators to adopt.
  • Defenders and tooling providers: Practitioners like Averlon and Suzu Labs are pushing for richer local context, KEV integration, EPSS probabilities and automated stacks that determine whether an exploited bug matters in a given environment.

BOD 26-04 reframes the federal patching playbook: severity scores no longer dictate orders, and the clock now runs from assessed risk — with the three-day patch-and-forensic combo reserved for the most dangerous, exploitable, exposed flaws. The directive sets a clear calendar — 180 days to comply and consolidated rules in place — but the record in the source material leaves one pointed practical question: will agencies and operators translate risk-focused policy into thorough local assessments and forensic work, or will the change become another box to tick?

https://www.infosecurity-magazine.com/news/cisa-orders-agencies-to-patch-by/

CisaEmerging ThreatsPatch ManagementVulnerability ManagementUs GovernmentBinding Operational DirectiveVulnerability PatchingRisk-Based ApproachBOD 26-04
Related Intelligence

Continue Reading

Formal award ceremony with people on stage and in audience.

Cybersecurity Stars Awards 2026 Reveals Top Winners

The 2026 Cybersecurity Stars Awards shines a spotlight on the unsung heroes of cybersecurity, recognizing outstanding achievements across 95+ subcategories. This year's winners are celebrated for their exceptional work, proving that even the most invisible security efforts can earn top honors.

Analyst 207
Computer screen shows patch update being applied in a government office setting.

CISA Mandates Swift Patching of Exploited Flaws Within 3 Days

The US Cybersecurity and Infrastructure Security Agency (CISA) is now requiring federal agencies to patch high-risk vulnerabilities within just three days to significantly reduce the threat of cyberattacks. This new directive aims to slash the time attackers have to exploit weaknesses, protecting the public sector from potential breaches.

Analyst 207
Cybersecurity pro with concerned expression surrounded by colleagues in busy office.

Cybersecurity Teams Struggle to Find Time for New Threat Training

To stay ahead of emerging threats, cybersecurity teams need to prioritize dedicated training time, making it a real commitment by adjusting workloads and providing managers with the necessary guidance and resources. Despite rising training budgets, nearly a third of teams still struggle to find hours for crucial learning.

Analyst 207
Lab equipment and computer workstations surround a central laptop displaying abstract code.

Vulnerability Management Collapses as AI Compresses Attack Window

In just one month, AI-powered vulnerability management uncovered over 10,000 high-risk flaws in critical software, revealing a staggering new reality: AI has dramatically compressed the attack window, making traditional vulnerability management nearly obsolete.

Analyst 207