Brief

CISA’s new patch directive narrows the fastest deadlines to highest-risk flaws

CISA has issued Binding Operational Directive 26-04, a risk-based vulnerability-remediation order for federal civilian agencies, according to CISA. The directive tells agencies to align vulnerability management around Asset Exposure, Known Exploited Vulnerabilities Status, Exploit Automation, and Post-Exploitation Technical Impact, while CISA says only the highest-risk vulnerabilities must be patched within three days. Lower-risk vulnerabilities may receive longer timelines or, in some cases, be deferred until the next system upgrade, so the policy is narrower than a blanket three-day patch mandate. The stakes are federal exposure to known exploited vulnerabilities, which CISA says are a frequent attack vector and pose significant risk to agencies and the federal enterprise.

Technology · June 12, 2026

Sources & context

Evidence, open claims, and reader-facing editor notes.

Dek

A reported Binding Operational Directive would replace broad patch deadlines with risk-based timelines as short as three days, testing whether federal agencies can move from vulnerability awareness to operational remediation fast enough.

Synthesis angle

Investigate whether CISA’s new risk-scored patch deadlines change federal cyber incentives, vendor accountability, and agency exposure to exploited vulnerabilities.

Source

CISA Orders Federal Agencies to Patch Critical Vulnerabilities in Three Days

Preferred source plan

CISA Binding Operational Directive 26-04 text
CISA implementation guidance or agency playbooks for BOD 26-04
Federal Civilian Executive Branch vulnerability remediation requirements
CISA Known Exploited Vulnerabilities catalog and deadline methodology
Statements from CISA Acting Director Nick Andersen
GAO or inspector general reports on federal vulnerability remediation delays

Reading the dossier...