CISA requires federal agencies to patch critical vulnerabilities within three days

CISA issued Binding Operational DirectiveBinding Operational DirectiveA mandatory cybersecurity order for federal agencies.Key ConceptBinding Operational DirectiveA mandatory cybersecurity order for federal agencies.Open conceptBookmark 26-04, titled 'Prioritizing Security Updates Based on Risk,' on June 10, 2026, requiring federal civilian executive branch agencies to remediate the highest-risk cyber vulnerabilities within three days. The directive text is published at cisa.gov/news-events/directives/bod-26-04.

BOD 26-04 supersedes two earlier CISA directives: BOD 19-02 issued in 2019 and BOD 22-01 issued in 2021. The 21-day and 15-day remediation windows those older directives required were built before AI tools could automate vulnerability discovery and proof-of-concept exploit development at scale.

The directive defines vulnerability urgency through four criteria: whether the affected asset is publicly exposed, whether the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, whether an adversary can automate the exploit, and whether exploitation yields partial or total control of the asset. A vulnerability that meets all four criteria triggers the three-day remediation requirement.

Agencies have 60 days from June 10 to update their internal vulnerability management processes to reflect BOD 26-04 risk tiers. They have 180 days — by approximately December 7, 2026 — to fully implement the tiered remediation timelines, according to CISA's implementation guidance.

Acting Executive Assistant Director for Cybersecurity Chris Butera explained that AI tools allow adversaries to find and exploit vulnerabilities faster than the old 15-to-21-day windows allowed defenders to respond. Wired reported that Butera framed the directive as a shift from calendar-based patching to risk-based prioritization.

The directive allows agencies to defer the lowest-risk vulnerabilities entirely to the next scheduled system upgrade cycle, reducing the blanket urgency that prior directives imposed regardless of exposure level. This means agencies can triage rather than sprint for every flaw.

BOD 26-04 does not apply directly to federal contractors or private sector firms. CISA directed agencies to review their contracts to confirm that contractors can support agency compliance with the new timelines, according to Tenable's BOD 26-04 FAQ.

The Ivanti Sentry flaw reported in June 2026 became the first vulnerability to trigger BOD 26-04's three-day mandate after CISA determined it met all four urgency criteria and was already being actively exploited, according to TechTimes.

Federal civilian agencies covered by the directive include all executive branch departments and their component agencies. The Department of Defense and intelligence community operate under separate cybersecurity frameworks and are not directly bound by CISA binding operational directives.

Wiley Law noted in a June 2026 client alert that BOD 26-04 represents a significant shift toward risk-based vulnerability management, pushing agencies to build real-time asset inventories and automated detection capabilities they may not yet have. Wiley Law identified resourcing gaps as the primary implementation challenge.

CyberScoop reported that the directive requires agencies to conduct forensic triage when a vulnerability meeting all four criteria is identified, to determine whether the agency's systems were already compromised before the patch could be applied. This forensic requirement is new and goes beyond prior directives' patch-and-document approach.