RSS

Bod 26-04: Prioritizing Security Updates Based on Risk

mooreds1 pts0 comments

BOD 26-04: Prioritizing Security Updates Based on Risk | CISA

Skip to main content

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

no-cost Cyber ServicesSecure by design Secure Your BusinessShields UpReport A Cyber Issue

Share:

Binding Operational Directives

BOD 26-04: Prioritizing Security Updates Based on Risk

June 10, 2026

Related topics:

Cybersecurity Best Practices

News & Events

Directives

News

Events

Cybersecurity Alerts & Advisories

Request a CISA Speaker

Congressional Testimony

CISA Conferences

CISA Live!

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 26-04: Prioritizing Security Updates Based on Risk.

A Binding Operational Directive is a compulsory direction to federal, executive branch, departments, and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives to implement cybersecurity policies, principles, standards, and guidelines issued by the Director of the Office of Management and Budget (OMB). Federal agencies are required to comply with these directives under 44 U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of War or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.

Background

The United States faces persistent, increasingly sophisticated malicious cyber campaigns that threaten the public sector, private sector, and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise.

Cyber threat actors exploit unpatched vulnerabilities, and their use of AI may further narrow the time defenders have to react between patch release and possible exploitation. As a result, we must take immediate action to harden American networks and ensure our cybersecurity practices, including our policies for applying patches, address modern and increasingly sophisticated cyber threats. This approach focuses patching efforts on the areas of highest risk rather than treating all vulnerabilities and systems equally.

Known exploited vulnerabilities are a frequent attack vector for malicious cyber actors, including those backed by nation-states that aim to compromise U.S. critical infrastructure to steal sensitive information, disrupt operations, and undermine national security. These vulnerabilities pose significant risk to agencies and the federal enterprise.

In 2021 CISA established the Known Exploited Vulnerabilities catalog pursuant to BOD 22-01, which directed agencies to aggressively remediate known exploited vulnerabilities (KEVs), protect federal assets, and reduce cyber incidents. This Directive evolves upon CISA’s KEV catalog and increases mission readiness across the federal government by efficiently prioritizing high-risk vulnerabilities for timely action, while deferring action against low-risk vulnerabilities. The urgency of vulnerability remediation (see Table 1: Remediation Timelines) is determined based on the following variables:

Asset Exposure: Is the vulnerable asset publicly exposed?

KEV Status: Is the vulnerability, as identified by a common vulnerabilities and exposures identifier (CVE ID), on CISA’s Known Exploited Vulnerabilities Catalog?

Exploit Automation: Is an adversary able to automate all the steps necessary to exploit the vulnerability?

Technical Impact: Does an adversary gain partial control or total control of the vulnerable asset after exploitation of the vulnerability?

CISA publishes answers to KEV Status, Exploit Automation, and Technical Impact for every CVE ID through services such as the Vulnrichment Program. Agencies should follow CISA’s Internet Exposure Reduction Guidance to answer Asset Exposure and determine if the vulnerable asset is publicly exposed. Additionally, CISA developed Implementation Guidance: Prioritizing Security Updates Based on Risk to support agencies in implementing this Directive.

The requirements in this Directive align with Office of Management and Budget (OMB) Circular A-130:1 Managing Information as a Strategic Resource, which establishes policy for the management of...

security cisa federal vulnerabilities risk agencies

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.