CISA Orders 60- and 180-Day Risk-Based Federal Patching Under Directive 26-04
Updated
Updated · CISA · Jun 10
CISA Orders 60- and 180-Day Risk-Based Federal Patching Under Directive 26-04
3 articles · Updated · CISA · Jun 10
Summary
Directive 26-04 takes effect immediately, requiring federal civilian agencies to shift vulnerability remediation from blanket patching to a risk-based model tied to exposure, KEV status, exploit automation and technical impact.
60 days after issuance, agencies must update vulnerability-management processes; within 180 days, they must meet CISA’s remediation timelines, with some high-risk flaws requiring action in as little as 3 days plus forensic triage.
The order also mandates automated KEV reporting through the CDM dashboard where possible, weekly machine-readable reporting for agencies lacking full automation, and quarterly attestation of publicly exposed IP addresses and domains.
26-04 revokes BOD 19-02 and BOD 22-01, folding them into a single framework as CISA expands the KEV-based approach it launched in 2021 to prioritize the highest-risk federal vulnerabilities.
CISA said persistent campaigns exploiting unpatched flaws—potentially accelerated by attackers’ use of AI—drove the overhaul, which excludes national security systems but covers federal civilian systems, including many cloud environments.
With AI accelerating cyber threats, can CISA's new risk-based strategy truly protect the nation, or is it already one step behind?
CISA now demands 'ruthless prioritization.' How will this radical shift affect America's most critical infrastructure and the companies that run it?
As agencies ditch CVSS scores for CISA's KEV list, what new blind spots are being created for the next wave of zero-day attacks?
Federal Agencies Face 18-Month Deadline Under CISA BOD 26-02 to Eliminate Unsupported Edge Devices
Overview
On February 5, 2026, CISA issued Binding Operational Directive 26-02 to address the urgent risks posed by unsupported edge devices, which are key entry points for cyber threats in federal networks. Recognizing that outdated hardware at network perimeters creates significant vulnerabilities, CISA’s directive compels agencies to proactively identify and remove these risks. This action is driven by a persistent and evolving threat landscape, where attackers exploit weaknesses in unsupported devices. The directive also aligns with broader compliance frameworks, pushing federal organizations toward robust, continuous cybersecurity measures and a stronger, more resilient security posture.