The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-04, establishing a new risk-based framework for how U.S. federal agencies prioritize vulnerability remediation.
The directive supersedes earlier mandates, including BOD 19-02 and BOD 22-01, and introduces a more targeted model for focusing remediation efforts on vulnerabilities that are most likely to be exploited and cause significant harm.
More importantly, BOD 26-04 reflects a broader shift in cybersecurity: moving beyond severity-based vulnerability management toward contextual exposure reduction.
Key Changes
BOD 26-04 introduces a more granular risk-based framework for vulnerability remediation based on four primary factors:
- Whether the affected asset is publicly exposed
- Whether the vulnerability is listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
- Whether exploitation can be automated by attackers
- The level of technical impact an attacker would gain if exploitation succeeds, including partial or total control of a system
CISA noted that threat actors increasingly exploit unpatched vulnerabilities and that advances in artificial intelligence may further compress the time between vulnerability disclosure and exploitation, reducing the time available for defenders to respond.
Agency Requirements
Federal agencies must immediately review and update vulnerability management policies, automate reporting of KEV-related vulnerabilities through the Continuous Diagnostics and Mitigation (CDM) program where possible, and continue participating in CISA’s Cyber Hygiene scanning services.
Within:
- 60 days, agencies must update vulnerability management processes to align with the directive.
- 180 days, agencies must implement the new remediation timelines, continuously identify internet-accessible assets, and improve asset tagging and reporting capabilities.
Remediation Prioritization
The directive introduces dynamic remediation timelines based on risk. Vulnerabilities affecting publicly exposed systems, vulnerabilities already known to be exploited, and flaws that can be automated by attackers receive the highest priority and shortest remediation deadlines.
For the most critical cases, agencies may be required to complete remediation or mitigation actions within three days, accompanied by forensic triage to determine whether compromise has already occurred. Lower-risk vulnerabilities may be deferred until scheduled system upgrades or maintenance windows.
The message is clear: remediation urgency should be driven by actual risk, exploitability, exposure, and attacker impact, rather than severity scores alone.
Cloud and Third-Party Environments
The directive applies to federal information systems regardless of hosting location, including cloud and third-party environments. Agencies remain responsible for ensuring compliance by cloud service providers, including those operating in FedRAMP-authorized environments.
Why This Matters
For years, vulnerability management programs have relied heavily on severity scores such as CVSS to prioritize remediation efforts. However, security teams today face a different reality: rapidly growing vulnerability backlogs, increasing attack surface complexity, limited remediation resources, and attackers capable of exploiting vulnerabilities within days or even hours of disclosure.
BOD 26-04 acknowledges what many security leaders already know: severity alone is not enough. Exposure, exploitability, attacker automation, and operational impact must all be considered when determining what to fix first.
As advances in AI continue to reduce the time between vulnerability discovery and exploitation, organizations can no longer rely solely on static severity-based prioritization models.
From Legacy Vulnerability Management to Agentic Exposure Management
While the directive focuses on vulnerability remediation, its underlying principles closely align with the broader industry shift toward exposure management. Rather than focusing exclusively on identifying vulnerabilities, security teams increasingly need to answer questions such as:
- Which vulnerabilities are reachable by attackers?
- Which assets are internet-facing?
- Which vulnerabilities are actively being exploited?
- Which systems support critical business processes?
- Which remediation actions will reduce the most risk?
- Which teams own the affected assets and can take action?
Organizations that can answer these questions quickly will be better positioned to reduce exposure before attackers can exploit it. Is Your Organization Ready?
Security leaders should consider:
✓ Can we continuously identify internet-facing assets?
✓ Can we automatically correlate vulnerabilities with KEV status and threat intelligence?
✓ Can we determine ownership of affected systems?
✓ Can we prioritize based on business impact and exploitability, not just CVSS?
✓ Can we mobilize remediation within hours rather than weeks?
✓ Can we demonstrate measurable exposure reduction to leadership?
If the answer to any of these questions is uncertain, it may be time to reassess your vulnerability management operating model.
Assessing Readiness for the New Risk-Based Model
While BOD 26-04 applies directly to U.S. federal agencies, its principles are likely to influence cybersecurity best practices across both public and private sectors.
Organizations interested in evaluating their readiness can request a CISA 26-04 Readiness Assessment from Tonic Security.
The assessment reviews how your current vulnerability management program aligns with the directive’s risk-based prioritization model, including visibility, prioritization, ownership, remediation workflows, and reporting capabilities.
