CISA issued Binding Operational Directive 26-04 on June 10, 2026, and it’s one of the more consequential vulnerability management policies the federal government has published in a long time. I say that as someone who has spent a large portion of his career in the U.S. public sector (e.g. Federal and DOW).

I say this not because it invented anything new, but because it finally codified what practitioner have been arguing for years.

Prioritize remediation based on risk, not generic severity scores. Prioritize based on exploitation, exposure, and impact, not arbitrary CVSS thresholds. Stop pretending every critical vulnerability demands the same urgency.

The directive is titled “Prioritizing Security Updates Based on Risk,” and the name tells you everything about the shift. For the first time, U.S. Federal agencies are required to use Stakeholder-Specific Vulnerability Categorization (SSVC) rather than CVSS base scores to drive remediation timelines. It revokes both BOD 19-02 and BOD 22-01, replacing flat-deadline patch mandates with a risk-tiered framework built on four factors that actually matter.

I’ve been writing about this exact approach for years, including in my book Effective Vulnerability Management, and across dozens of Resilient Cyber articles. Seeing it formalized in a binding directive is a significant milestone. But formalization and execution are different things, and the gap between what BOD 26-04 demands and what agencies can actually deliver today is what I want to dive into and walkthrough.

What BOD 26-04 Actually Requires

The directive applies to all Federal Civilian Executive Branch agencies and the systems they operate, including third-party hosted and cloud environments. CISA acting director Nick Andersen signed it, and CISA’s Chris Butera and Jonathan Spring co-authored the accompanying blog post under the tagline “Patch Smarter, Not Harder.”

The core mechanism is a four-factor risk assessment that determines remediation timelines. Every vulnerability gets evaluated against four criteria.

• Is the vulnerable asset publicly exposed?

• Is the vulnerability listed in the KEV catalog?

• Can exploitation be fully automated?

• Does exploitation give attackers partial or total control of the system?

(Image credit - VulnCheck’s Blog)

The answers to those four questions determine whether you patch in 3 days, 14 days, 60 days, or defer to the next system upgrade. The highest-risk vulnerabilities, those that are publicly exposed, in the KEV catalog, automatable, and deliver total control, must be remediated within 72 hours.

Those same vulnerabilities also require forensic triage before patching to determine whether the system has already been compromised. That forensic assessment requirement is entirely new and reflects a hard-won operational reality, and likely comes as a result of incidents some agencies have already experienced in the past.

Patching a system an attacker already controls doesn’t evict them.

At the other end of the spectrum, vulnerabilities that aren’t publicly exposed, aren’t in the KEV, can’t be automated, and only deliver partial impact can be deferred until the next scheduled system upgrade. CISA’s own analysis of one large federal agency found that only 1% of vulnerabilities fell into the 3-day window, while over 60% could be deferred.

That ratio alone tells you how much wasted effort the old approach generated. and it isn’t an outlier, as I have written about many times, true exploitation rates are a fraction of the overall CVE’s published in a given year.

Agencies must update vulnerability management policies immediately, achieve compliance with all remediation timelines within 180 days, and continuously identify and tag all agency-owned assets reachable from outside the network.

Asset tagging requirements include organization, operating environment, exposure status, asset type, and all associated IP addresses. Agencies without full CDM automation must submit vulnerability data to CISA every seven days in machine-readable format.

While I understand this requirement, this is also a very cumbersome activity, and based on my experience in the Federal space, by the time it gets ingested and reviewed, it is likely stale and warrants a new export anyways.

The Death of CVSS as Federal Policy

This directive formally kills CVSS as the driving prioritization mechanism for federal vulnerability management (beyond KEV’s) and that alone makes it historic.

For years, federal policy, PCI DSS, and countless enterprise vulnerability management programs treated CVSS base scores as the primary input for remediation timelines. Critical and high severity vulnerabilities got 7-to-30-day deadlines, Medium got 60-90 days, Low got deprioritized or ignored.

The problem is that CVSS measures theoretical severity in a vacuum, it doesn’t account for whether the vulnerability is actually exploited, whether the asset is exposed, or whether exploitation is automatable at scale.

This is a point I have made for years in various articles on here, CSO Online, my own book and in public talks.

As I covered in A Look at the Exploit Prediction Scoring System (EPSS), research from ACM demonstrated that:

Using CVSS severity alone to measure risk is equivalent to picking random vulnerabilities to fix.

Organizations can only remediate 5-20% of vulnerabilities per month, with a median around 15.5%. When you’re burning that limited remediation capacity on vulnerabilities that will never be exploited, you’re not managing risk, you’re performing compliance theater, another topic I have railed against.

BOD 26-04 replaces that theater with SSVC, the decision-tree model developed by CISA and Carnegie Mellon’s CERT/CC. I wrote about CISA’s own articulation of this framework back in 2022 in CISA’s Take on Vulnerability Prioritization, when Eric Goldstein published “Transforming the Vulnerability Management Landscape.”

That publication outlined three pillars for change. Machine-readable advisories through CSAF, exploitability communication through VEX, and prioritization through SSVC and KEV. BOD 26-04 operationalizes that third pillar, and what’s insane is that it took four years to get from concept to mandate.

The Data That Forced the Shift

The Verizon 2026 DBIR found that only 26% of KEV catalog vulnerabilities were fully remediated by organizations in 2025, down from 38% the prior year. Median time for full resolution rose to 43 days. These aren’t obscure vulnerabilities buried in legacy systems. These are confirmed actively exploited vulnerabilities that CISA explicitly told organizations to fix, and remediation rates are getting worse, not better.The 2026 DBIR also showed that exploitation of software vulnerabilities is now the dominant initial access vector.

The problem isn’t that organizations don’t care about patching. It’s that they’re drowning in volume and treating every vulnerability with the same urgency, which means nothing gets the urgency it actually deserves.

I covered this dynamic extensively in Vulnerability Velocity and the Exploitation Enigma, where Mandiant’s M-Trends data confirmed vulnerability exploitation as the number one initial infection vector and year-over-year CVE growth was running at 30%.

The fundamental math doesn’t work when you try to patch everything at the same speed.

The Vulnpocalypse Makes Prioritization Existential

BOD 26-04 arrives in the middle of what I’ve been calling the Vulnpocalypse, the structural asymmetry between AI-accelerated vulnerability discovery and organizations’ capacity to remediate.

FIRST projects approximately 59,000 CVEs in 2026, with realistic upside approaching 100,000. Jerry Gamblin’s tracking data shows 27,758 vulnerabilities published by June 1, 2026 alone, a 39% increase over the same period in 2025.

AI hasn’t just accelerated discovery, it has industrialized it. Anthropic’s Claude Mythos discovered over 10,000 high and critical vulnerabilities across open-source software, including 271 zero-days in Firefox and a 27-year-old bug in OpenBSD. Researchers can now develop working exploits in 15 minutes using AI for a few dollars.

The window between vulnerability disclosure and weaponization has compressed from months to hours, and the volume of what gets disclosed is growing at a rate that makes blanket remediation physically impossible. This is captured perfectly in the Zero Day Clock, which I have often shared.

CISA explicitly acknowledges this in the directive. The AI threat is cited as a motivating factor, reflecting priorities from the recent AI Executive Order. That EO established constructs like the Treasury/CISA vulnerability clearinghouse and NSA frontier model benchmarking that are supposed to create infrastructure for managing AI-accelerated vulnerability discovery.

None of those constructs are operational yet, which means BOD 26-04 is the only concrete federal policy response to the Vulnpocalypse currently in effect. If you’re unfamiliar with the AI Executive Order, I did a breakdown below:

When you’re facing 59,000-plus CVEs per year and fewer than 5% will ever be exploited, risk-based prioritization isn’t a best practice, it’s the only viable strategy. Research found that 95-98% of all AppSec alerts can be safely deprioritized when context-based prioritization is applied, and only 2% truly pose risk and require action. CISA’s own finding that 60% of vulnerabilities at a large agency can be deferred to the next upgrade cycle aligns perfectly with this data.

Beyond the Federal Perimeter

BOD 26-04 technically binds only federal civilian agencies, but its impact will extend well beyond the public sector. CISA explicitly encourages state and local governments, critical infrastructure operators, and private sector organizations to adopt the same approach, and the procurement pipeline ensures it will spread.

Wiley Rein’s legal analysis flagged that government contractors should expect these requirements to flow down through Statements of Work and future contracts. Cloud Service Providers should plan for adoption in anticipation of FedRAMP updates.

This matters because the private sector faces the same structural problem. Average enterprise vulnerability backlogs exceed 100,000 findings and often can be in the hundreds of thousands to millions in large enterprise environments.

Remediation capacity runs at 5-20% per month. As I documented in The Evolution of AppSec, the average application faces 81 confirmed viable attacks per month on top of 10,000-plus probes, gains 17 new vulnerabilities per month, and fixes roughly 6. That gap only widens under CVSS-driven remediation timelines that don’t distinguish between theoretical severity and actual risk.

The evolution of vulnerability management toward Continuous Threat Exposure Management (CTEM) has been underway for several years and BOD 26-04 gives that evolution a federal stamp of approval. The directive’s requirement for continuous asset discovery, exposure-based tagging, and threat-informed prioritization maps directly to the CTEM framework. Organizations that have already adopted EPSS, KEV integration, reachability analysis, and business-context scoring are ahead of this curve. Organizations still running monthly scans and sorting by CVSS are now behind federal policy, not just best practice.

The Infrastructure Gap

The directive’s biggest vulnerability is the infrastructure it depends on. CISA’s Vulnrichment program provides SSVC decisions for only 45.8% of CVEs.

That means agencies must manually assess automatability and technical impact for more than half of all vulnerabilities. VulnCheck’s Patrick Garrity highlighted this gap immediately, noting that VulnCheck provides 90% SSVC coverage through automated generation. The fact that a private vendor covers twice as many CVEs as the government program the directive relies on tells you something about the execution challenge.

The NVD’s ongoing struggles compound the problem. As I’ve covered repeatedly, the NVD moved roughly 29,000 backlogged CVEs to “Not Scheduled” status, effectively reclassifying the backlog rather than solving it. If agencies can’t get enriched vulnerability data from the national database, the prioritization methodology BOD 26-04 requires becomes significantly harder to operationalize.

Then there’s the EPSS question. Despite being one of the most validated tools for exploitation probability assessment, EPSS is not explicitly mandated in the directive. The four-factor SSVC model captures exploitation status (via KEV) and automatability, but it doesn’t incorporate the probabilistic forward-looking assessment that EPSS provides.

An organization using KEV plus EPSS plus reachability analysis plus business context is making better prioritization decisions than the directive’s minimum requirements would produce. That’s not a criticism of the directive so much as an observation that policy rarely leads practice.

Kevin Greene raised another gap. The SSVC model tells you how bad a single CVE’s blast radius is on its component, but it doesn’t account for whether that component sits on a path to a privilege plane. A CVE with a CVSS score of 10 that can’t reach the privilege plane is operationally ineffective. A CVE with a moderate score that chains into lateral movement and persistence can be devastating. The directive doesn’t address that downstream privilege debt.

In an era of AI-driven exploitation this is a key point, as research from the UK’s AISI has shown, frontier models are getting good at chaining vulnerabilities, moving laterally and not just isolating vulnerabilities in isolation either.

What This Actually Means

BOD 26-04 is the right policy at the right time, even if the execution infrastructure isn’t fully built yet. The 72-hour patch window for the highest-risk vulnerabilities is aggressive. Some have rightly said they remain skeptical that the three day deadline is an achievable patch cadence today, but it is a positive step, even if it is aspirational at best currently.

The directive’s real value isn’t the specific timelines, it’s the formal burial of CVSS-driven patch mandates and the institutionalization of risk-based prioritization as federal policy.

For practitioners who have been arguing for years that organizations should prioritize based on exploitation evidence, asset exposure, reachability, and business context rather than arbitrary severity scores, this directive validates the approach.

For vendors who have built products around KEV integration, EPSS scoring, reachability analysis, and exposure management, this creates a compliance driver that didn’t exist before. For CISOs trying to justify investment in modern vulnerability prioritization tooling, this is the policy backstop they needed.

Despite much of this being a positive direction and signal to the broader industry it remains to be seen whether the ecosystem, from NVD enrichment to SSVC coverage to agency operational maturity, can execute at the speed the directive demands.

When 98% of vulnerabilities are noise, the organizations that can identify and act on the remaining 2% fastest will define what effective vulnerability management looks like in the age of the Vulnpocalypse. BOD 26-04 just told the U.S> Federal government to start acting like it.