What happened
CISA issued BOD 26-04 'Prioritizing Security Updates Based on Risk' on June 10, 2026, superseding BOD 19-02 and BOD 22-01. The directive requires federal civilian agencies to remediate vulnerabilities meeting three or more of four risk criteria (asset exposure, KEV status, exploit automation, post-exploitation impact) within three days, while formally permitting deferral of low-risk findings to the next upgrade cycle. CISA explicitly frames the urgency around AI-driven threat actor capabilities that narrow the window between patch release and active exploitation. Agencies have 60 days to update patching procedures and 180 days for full implementation.
Why it matters
This is the most significant federal vulnerability-management reform in years: it moves the US government from time-based patching to a risk-intelligence model anchored to KEV status, EPSS-equivalent automation signals, and asset exposure — a model that commercial enterprises and critical-infrastructure operators are likely to adopt as a de facto industry standard. The explicit acknowledgment of AI-accelerated exploitation as the primary threat driver signals that CISA regards the post-Mythos world as a new normal requiring structural change to patching programmes.
Action needed
Review your clients' current vulnerability management policies against the four BOD 26-04 criteria (Asset Exposure, KEV Status, Exploit Automation, Technical Impact) and identify the delta from today's SLA structure; federal agencies must update patching procedures within 60 days, but commercial peers should begin framework adoption now.