RSS

CISA tells govt agencies to patch critical exploited flaws in 3 days

Brajeshwar2 pts0 comments

CISA tells govt agencies to patch critical exploited flaws in 3 days

Home<br>News<br>Security<br>CISA tells govt agencies to patch critical exploited flaws in 3 days

CISA tells govt agencies to patch critical exploited flaws in 3 days

By Bill Toulas

June 11, 2026

08:46 AM

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive, 26-04, that prioritizes security updates for Federal Civilian Executive Branch (FCEB) agencies.

The directive aims to reduce the threat of cyberattacks targeting the public sector by requiring agencies to remediate high-risk vulnerabilities within accelerated timeframes, in some cases as little as three days.

CISA says that BOD 20-04 &ldquo;supersedes and revokes&rdquo; the older BOD 19-02 and BOD 22-01, introduced in 2019 and 2021, respectively.

The agency says that prioritizing patching is based on four key considerations:

Whether the asset is publicly exposed online

Presence of the vulnerability in CISA&rsquo;s Known Exploited Vulnerabilities (KEV) catalog

Whether exploitation can be automated for large-scale attacks

Whether exploitation gives attackers partial or total control of a system

Depending on these factors, agencies get deadlines for addressing security vulnerabilities, the shortest period being three days.

For less urgent situations where automated exploitation is not possible or when it only provides partial control, the timeframe is set to two weeks.

Vulnerability remediation timelines<br>Source: CISA

Scope and implementation

The directive applies specifically to U.S. Federal Civilian Executive Branch (FCEB) agencies and the information systems they operate.

This includes government agencies and departments, but does not apply to certain military systems operated by the U.S. Department of War, private companies, Intelligence Community systems, and contractors.

Like previous directives, the framework is expected to influence the broader cybersecurity industry and provide a broader patching priority signal.

The directive applies to all on-premise federal systems, third-party hosted systems, and FedRAMP/non-FedRAMP cloud environments.

Right now, agencies bound to the BOD 26-04 directive should update their vulnerability management policies accordingly, update their asset inventories, and automate KEV status reporting.

The vulnerability management processes should be updated in 60 days to use CVE and KEV data as the basis for remediation decisions.

Within 180 days, all agencies will be required to follow the new remediation timelines and continuously monitor and report detailed asset metadata.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

GM agrees to $12.75M California settlement over sale of drivers&rsquo; data<br>CISA orders feds to patch exploited Ivanti EPMM flaw by Saturday<br>CISA flags new SD-WAN flaw as actively exploited in attacks<br>CISA gives feds three days to patch Ivanti flaw exploited as zero-day<br>CISA gives feds 3 days to patch actively exploited cPanel plugin flaw

Binding Operational Directive

CISA

Government

Legal

Vulnerability Management

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

ServiceNow discloses security incident exposing customer data

Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws

Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges

Sponsor Posts

Build cyber resilience with Wazuh: The open-source SIEM & XDR for proactive protection

AI-driven threats are outpacing MSP security operations. Join the partner community.

Your AI tools are leaking sensitive data. Get a free audit.

Overdue a password health-check? Audit your Active Directory for free

What security leaders should prepare for over the next six months.

Upcoming Webinar

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...

SUBMIT

cisa agencies days exploited patch security

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.