CISA ties BOD 26-04 patch deadlines to exploitability
CISA is turning attacker tempo, including automated exploitation, into the priority signal federal patch queues must reflect.
TL;DR
CyberScoop reports the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04, requiring federal agencies to rank vulnerabilities by public exposure, automated exploitability, system-control impact and active exploitation. Vulnerabilities meeting all four criteria get a three-day fix window and forensic triage. Contractors, primes and managed service providers are not directly bound, but agency customers now have 3-to-180-day timelines to meet against a reported 43-day median full-resolution time for known exploited vulnerabilities (KEVs).
CyberScoop reports that BOD 26-04 moves agency vulnerability management onto a criteria-based remediation clock. Federal agencies have to rank vulnerabilities by four signals: whether the affected asset is publicly exposed, whether exploitation can be fully automated, whether exploitation gives an attacker system control, and whether there is evidence of active real-world exploitation. When all four are present, the fix window is three days and the agency must conduct forensic triage. Agencies also have to update vulnerability management policies immediately, revise common-vulnerability remediation processes within 60 days, and meet the directive’s timelines within 180 days.
The change matters because it adds automation to the official federal patch calculus. CISA’s Known Exploited Vulnerabilities catalog already gives agencies an authoritative source for vulnerabilities exploited in the wild and an input to prioritization according to CISA. BOD 26-04 says exploit automation itself belongs in the queue. That is the AI point here: CISA is treating shorter weaponization windows as an input to scheduling.
The operational conflict is capacity. CISA officials, as quoted by CyberScoop, cited Verizon data showing only 26% of KEV catalog vulnerabilities were fully remediated by organizations in 2025, with median full resolution at 43 days. A three-day requirement for the all-four category is a capacity mandate. Agencies and their service providers need people, tooling and exception processes that can move faster than the normal patch cycle when CISA’s criteria line up.
Contractors, primes and managed service providers sit in the pressure zone even though BODs are not mandatory outside federal agencies. Agency customers cannot meet the directive if provider scanning feeds, validation steps or maintenance windows run on slower commercial assumptions. The open questions are practical: whether CISA will publish a detailed scoring rubric or automation tools, and how quickly agency contracts turn the BOD clock into flowdown obligations for subs.
Published ·Deep Fathom