CISA issues BOD 24-02 for four-factor patch triage
The relief is real only if agencies can classify exposure, automation and impact faster than attackers can industrialize the exploit.
TL;DR
CISA issued Binding Operational Directive (BOD) 24-02, requiring federal civilian agencies to rank remediation by asset exposure, Known Exploited Vulnerabilities (KEV) status, exploit automation and technical impact, replacing BOD 22-01’s KEV-only trigger. Agencies must revise policies immediately, update processes within 60 days and finish broader asset/reporting work within 180 days. State CISOs get a benchmark rather than a mandate. The unresolved question is whether the table buys relief or turns bad risk scoring into compliance evidence.
The Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive (BOD) 24-02 takes the Known Exploited Vulnerabilities (KEV) catalog out of its simple lane and turns vulnerability remediation into scored operational triage. Federal civilian agencies now have to prioritize remediation timelines using four variables: whether the asset is publicly exposed, whether the CVE is in CISA’s KEV catalog, whether exploitation can be automated, and whether exploitation gives an adversary partial or total control.
Agencies get relief and homework. The relief is that lower-risk vulnerabilities can be deferred instead of dragged through an undifferentiated emergency queue. The homework starts immediately with policy review, continued KEV monitoring, automated reporting through the Continuous Diagnostics and Mitigation (CDM) Dashboard, process updates within 60 days, and broader asset tagging and reporting work within 180 days. CISA’s reminder that applying a patch generally does not evict a threat actor is the useful, unpleasant part.
AI is why this is more than another patch memo. The June 2 executive order on frontier AI models told CISA to speed civilian federal cyber defense, and CISA tied the directive to a threat landscape where AI software services can help find and exploit vulnerabilities. That does not make every vulnerability equally urgent. It makes the scoring model part of the defense. If agencies misclassify exposure, exploit automation or impact, flexibility becomes a delay mechanism.
State CISOs sit outside the direct legal command, but they will recognize the template. CISA’s KEV guidance has already urged state, local, tribal and territorial governments to use the catalog as an input to vulnerability management even though BOD 22-01 did not bind them (https://www.cisa.gov/known-exploited-vulnerabilities-catalog/reducing-significant-risk-known-exploited-vulnerabilities). The open question is whether BOD 24-02’s timelines compress or relax the old KEV expectations, and how much time agencies have to operationalize the four-factor model before missed scoring becomes a compliance problem.
Published ·Deep Fathom