CISA BOD 26-04 Sets a Three-Day Federal Patch Clock

CISA Binding Operational Directive 26-04 lands on Wednesday with a three-calendar-day patch clock for the worst federal vulnerabilities, a four-signal risk model, and formal permission to defer the rest. The directive retires both BOD 19-02 and BOD 22-01 and runs on a decision tree that is more granular than the model it replaces.

Acting CISA Director Nick Andersen called the consolidation “a significant step forward” in CISA’s announcement of the directive. The practical effect is a regime where the most exposed, most exploited, most automatable bugs on publicly reachable systems must be patched inside the top band, with a forensic triage to check whether the system was already compromised.

What BOD 26-04 Replaces

The two revoked directives split the work in two. BOD 19-02, issued April 29, 2019, set remediation requirements for vulnerabilities on internet-accessible systems. BOD 22-01, issued November 3, 2021, built the Known Exploited Vulnerabilities catalog and required federal agencies to remediate catalog entries on fixed deadlines. Both treated every KEV entry the same.

BOD 26-04 supersedes and revokes both, and the difference shows up in the inputs. The old regime started from a static timer; the new regime starts from four questions: is the asset publicly exposed, is the bug on the KEV catalog, can exploitation be fully automated, and does the exploit give the attacker partial or total control. The combination of answers decides the band, not the count. CISA’s own writeup of the directive names the threat driver: “threat actors exploit unpatched vulnerabilities, and their use of AI may further narrow the time defenders have to react between patch release and possible exploitation.” That is the reason the clock tightened.

The Four-Signal Risk Model

The four inputs are not a checklist. Table 1 in the directive is a decision tree, and the combination of answers decides the band rather than the count. CISA publishes answers to three of the four inputs (KEV status, exploit automation, and technical impact) for every CVE through its Vulnrichment Program. Exposure is the one agencies have to determine themselves, and the directive resolves that question conservatively: if any detection method shows an asset is reachable, it counts as publicly exposed and gets the faster clock.

The first signal, asset exposure, asks whether the vulnerable system is reachable from the public internet. CISA’s Internet Exposure Reduction Guidance is the reference, and the implementation guidance tells agencies to treat unknown assets as exposed, stating that if the CDM program does not provide public-exposure information about an asset, CISA “will treat the asset as publicly exposed for purposes of calculating patching timelines.” The second signal, KEV status, is a yes-or-no lookup against the catalog CISA has maintained since 2021.

The third signal, exploit automation, asks whether an adversary can script every step of the attack, the property that turns a vulnerability into a worm candidate. The fourth signal, technical impact, asks whether the attacker walks away with partial or total control of the asset, and CISA’s own definitions treat that distinction as binary. CISA publishes answers for the second, third, and fourth signals for every CVE through Vulnrichment, so agencies can read the band off the metadata.

The four answers together produce one of four bands. The highest-risk combinations land in the top band, with the forensic triage requirement attached. The middle of the table covers cases where exposure or automation is missing, and lands in a two-week window. The lower bands extend the timeline further, with formal permission to defer the lowest-risk fixes to a later cycle. The thresholds are dynamic, not static: pull a system off the internet, and its clock relaxes. Land on the KEV, and it tightens.

The Three-Day Clock, and What Triggers It

The top-tier window is the headline number, and the trigger is specific. CISA’s implementation guidance for BOD 26-04 describes it this way: agencies must identify “whether the vulnerability meets the remediation threshold in fewer than three days and requires forensic triage to assess whether the systems or network infrastructure have been impacted or compromised.” The clock starts at the earlier of two events: the CVE being added to the KEV catalog, or the agency enumerating the vulnerability on one of its own assets.

The fastest rows of the table carry an added requirement that is easy to miss in the headline. For every top-tier bug, agencies have to run a forensic triage to check whether the system was already compromised before the patch went in. That is a response procedure, not a checkbox, and it is the second piece of the regime change.

The new federal patch regime, at a glance:

• Shortest clock: highest-risk combinations, with mandatory forensic triage
• Two weeks: lower-risk combinations where exposure or automation is missing
• 60 days: agencies must update their vulnerability management processes
• 180 days: agencies must operate under the new timelines

CISA’s press release for the directive frames the proof requirement as a response to a specific failure mode: “Applying a patch generally does not evict a threat actor.” A defender who patches a top-tier bug and walks away has not necessarily closed the breach. The triage is the part that determines whether someone was already inside. The headline is the clock. The second-order story is the proof.

CISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities. This Directive provides clear definitions, timelines, and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation.

That is Acting CISA Director Nick Andersen, in CISA’s announcement of BOD 26-04 on June 10.

The Quiet Carve-Out for Low-Risk Bugs

The Andersen quote is the second-order story in two halves. The first half is the acceleration: the top band for the worst bugs, the two-week window for the next tier, and the mandatory forensic triage. The second half is the explicit permission to defer, and CISA’s announcement frames it as a feature: the directive provides “transparency, predictability and agencies’ resource planning” to do less on the bugs that matter less. For agencies that have spent years treating every KEV entry as equally urgent, that carve-out is the consequential change.

That is a formal, citable deferral, the kind of permission the previous rules did not allow. The new rules reward the deferral with a slower clock, and the directive’s graduated bands let security teams spend the budget on the bugs that justify the urgency, then stop spending it on the long tail. The regime is more aggressive at the top and more permissive at the bottom than anything CISA has issued before.

Forensic Triage, or Patch, Then Prove It Worked

The forensic triage requirement is the underreported part of BOD 26-04, and the implementation guidance gives it more weight than the press release did. The guidance lays out six steps, each with a target timeline measured in hours rather than weeks.

Step 1, scoping, runs in the first two hours after a CVE lands on the KEV catalog. Step 2, evidence preservation, runs in the first 24 hours. Step 3, critical patching, also runs in 24 hours, and step 4, containment, runs in 6 to 24 hours.

The reason for the new step is straightforward, and CISA’s own writeup states it plainly: “Applying a patch generally does not evict a threat actor.” A defender who patches a top-tier bug and walks away has not necessarily closed the breach. The triage is the part that determines whether someone was already inside.

Patching “may jeopardize the availability of artifacts,” the guidance warns, so evidence collection comes first, then the patch, then containment, then analysis. If the analysis confirms compromise, agencies report to CISA’s Incident Reporting System and pivot to a full incident response. If the analysis finds no evidence of compromise, agencies still implement heightened monitoring before completing the remediation.

The coordination runs across the response stack. Security, IT operations, system owners, and incident response have to move in the same hour, and the report that comes out of step 6 has to include the incident timeline, the actions taken, the technical findings, the containment work, and a recommendation on next steps. The forensic triage report is the document that determines whether a top-tier fix was a clean remediation or the start of a longer incident. The clock matters. The proof matters more.

What Falls Outside the Directive’s Reach

The directive applies to Federal Civilian Executive Branch (FCEB) agencies and the federal information systems they operate. It does not apply to “national security systems,” to certain systems operated by the Department of War, or to Intelligence Community systems. Those exclusions sit in 44 U.S.C. § 3553 and are not new to this directive.

Contractors are also outside the directive’s direct reach, but FCEB agencies have to review every contract for the modifications needed to comply, in consultation with the contracting officer. For federal information systems hosted in third-party environments, including FedRAMP-certified environments, the agency stays on the hook for inventory, status, and compliance. For FedRAMP-certified cloud offerings, agencies work through the FedRAMP PMO, and for non-FedRAMP clouds, agencies work directly with the cloud service provider, document any deviations, and push the directive’s requirements through the contract.

The scope question matters most for organizations that touch the federal government without being part of it. Hosting providers, managed service vendors, and the federal supply chain all sit outside the directive, even when their infrastructure carries federal traffic. The full BOD 26-04 directive text makes that clear in its scope section. The KEV catalog’s history is the precedent: it was created for federal agencies in 2021 and now shows up in audit frameworks, insurance questionnaires, and vendor risk reviews. BOD 26-04 is positioned to follow the same path, only faster.

Why the Private Sector Is Reading Carefully

The directive binds the federal civilian executive branch. It does not bind a private company. CISA itself says it “strongly encourages all partners to adopt similar actions in their vulnerability management policy.” That sentence has, in past directives, been a leading indicator.

The commercial pipeline that absorbs federal requirements is already in motion. Security vendors published BOD 26-04 alignment content the day the directive dropped. The KEV catalog, which started as a federal artifact in 2021, now lives inside the CVE feeds that vulnerability management tools consume. Adopting the BOD 26-04 model is, for most enterprises, a configuration change rather than an integration project.

The same four-signal logic that drives the federal clock shows up in commercial settings. Public exposure, KEV listing, exploit automation, and total control are not federal-only concepts, and the threat driver is shared: AI-compressed weaponization is not a federal phenomenon.

The recent history of the KEV catalog, including the four-day federal KEV clock on a LiteSpeed cPanel flaw, shows how quickly the new posture translates into commercial practice. The auditors, insurers, and boards that already use the KEV catalog as a benchmark will likely use the BOD 26-04 model the same way. The KEV catalog went from a federal artifact to a commercial standard in the years since its 2021 launch, and the four-signal model is positioned to follow the same path in a tighter window. The fastest band is the floor, not the ceiling.

Frequently Asked Questions

Who does CISA BOD 26-04 apply to?

BOD 26-04 applies to Federal Civilian Executive Branch (FCEB) agencies and the federal information systems they operate. It does not apply to national security systems, to certain systems operated by the Department of War, or to Intelligence Community systems. Contractors are outside the directive’s direct reach, but FCEB agencies must review their contracts to determine what modifications are needed to comply.

What are the four signals that decide the patch clock?

Asset Exposure, KEV Status, Exploit Automation, and Technical Impact. Asset Exposure asks whether the vulnerable asset is reachable from the public internet. KEV Status asks whether the bug is on CISA’s Known Exploited Vulnerabilities catalog. Exploit Automation asks whether an adversary can script every step of the attack. Technical Impact asks whether the exploit gives the attacker partial or total control of the asset.

How fast do federal agencies have to patch the worst bugs?

Three calendar days, plus a mandatory forensic triage. The implementation guidance describes the trigger as identifying a vulnerability that “meets the remediation threshold in fewer than three days and requires forensic triage to assess whether the systems or network infrastructure have been impacted or compromised.” The clock starts at the earlier of the CVE being added to the KEV catalog or the agency enumerating the vulnerability on one of its assets.

Does BOD 26-04 replace CVSS scores?

The new regime uses a four-signal risk model rather than CVSS-first prioritization. CVSS severity remains a useful input for vulnerability management, but the four signals drive the federal patch clock under the new directive.

What is the difference between BOD 22-01 and BOD 26-04?

BOD 22-01 built the KEV catalog and required federal agencies to remediate catalog entries on fixed deadlines. BOD 26-04 revokes BOD 22-01 and replaces it with a four-signal risk model, graduated timelines (three days, two weeks, and longer windows for lower-risk cases), and a mandatory forensic triage step for the highest-risk bugs.