CISA Releases Binding Operational Directive 26-04 on Prioritizing Security Updates Based on Risk
Cybersecurity and Infrastructure Security Agency sent this bulletin at 06/10/2026 11:17 AM EDT
You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information has recently been updated and is now available.
Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk requiring federal agencies to prioritize rapid remediation of high-risk vulnerabilities while deferring action for lower-risk vulnerabilities.
Harmonizing and improving BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems and BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, this Directive streamlines federal processes to increase efficiency and ensure our cybersecurity policies address modern and increasingly sophisticated threats. Additionally, CISA released Implementation Guidance to help agencies promptly execute vulnerability response actions that align with BOD 26-04’s requirements.
Known exploited vulnerabilities are a frequent attack vector for cyber threat actors, and the use of artificial intelligence may further narrow the time defenders have to react between patch release and potential exploitation. All federal agencies are required to remediate vulnerabilities within the prescribed timeframe. The new Directive establishes a prioritization structure for patching efforts based on asset exposure, KEV status, exploit automation, and post-exploitation technical impact.
Key Actions:
- Update agency vulnerability management procedures.
- Prioritize remediation based on risk, including KEV status and asset exposure.
- Identify and tag all agency-managed and publicly exposed assets.
- Maintain Cyber Hygiene scanning access and attest to exposed IPs and domain names quarterly.
- In the designated scenarios, check whether an adversary compromised the asset before the patch was applied.
While BOD 26-04 is issued for federal agency compliance, its risk-based approach, updated guidance, and asset management strategies offer practical tools for any organization aiming to enhance their cybersecurity posture.
For more required actions, read the full text of BOD 26-04 and Implementation Guidance.
Please share your thoughts with us through this anonymous survey. We appreciate your feedback.
This product is provided subject to this Notification and this Privacy & Use policy.