Resources
en
12 June 2026 Retrospectives .
You like this content ?
Share it on the networks
Good news for security teams worn out by chasing every CVE: you can (almost) rest easy. Good news in cybersecurity is rare enough to be worth noting. On June 10, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) published BOD 26-04.
It makes official what many teams already suspected: patching everything is neither possible nor useful. The directive establishes risk-based vulnerability management. And along the way, it buries the CVSS score as a prioritization compass.
Reading · 7 min
KEY TAKEAWAYS
Doctrine shift: BOD 26-04 (06/10/2026) replaces BOD 22-01 and BOD 19-02. The CVSS score drops out of prioritization in favor of real risk.
Four variables set the deadline:asset exposure, KEV status, exploit automation, technical impact. From "3 days + forensic triage" to deferral until the next upgrade.
Only one variable is yours: the exposure of your assets. CISA supplies the other three; knowing your attack surface is on you. That's the heart of EASM.
Europe too: mandatory only for US federal civilian agencies, but converging with NIS2 / DORA and set to become a de facto standard.
For a CISO or a vulnerability management team, this is a relief that's both operational and political. Finally an official framework that says "focus your security updates where it matters." No more justifying why you didn't get to the thousands of "critical" CVEs this quarter. The goal is to protect your critical systems and exposed critical assets, not to empty a queue. Your security postureis now measured by your ability to prioritize, not by your volume of patches.
The Binding Operational Directive 26-04, "Prioritizing Security Updates Based on Risk", is a pragmatic answer to a situation that had become untenable. Vulnerabilities pile up, AI shortens the gap between disclosure and exploitation, and traditional patch management can't keep up. So CISA stops treating every CVE the same way. It focuses effort where the risk is real, and accepts deferring the rest.
The useful reminder: a vulnerability's CVSS score, on its own, says nothing about your exposure. A "critical" on a non-automatable internal asset is not a "critical" on an exposed server an attacker can compromise in minutes. BOD 26-04 writes that obvious truth into federal policy.
The directive revokes and replacesBOD 19-02 (2019, internet-facing systems) and BOD 22-01 (2021, the catalog of actively exploited flaws, Known Exploited Vulnerabilities / KEV). Where BOD 22-01 applied a single deadline to any CVE in the KEV, BOD 26-04 introduces a graduated model: KEV status is now just one of four variables that set the urgency.
Direct consequence: the CVSS score drops out of the prioritization calculation. The methodology now relies on the SSVC model (Stakeholder-Specific Vulnerability Categorization), a decision tree built around real risk rather than theoretical severity.
Each vulnerability is scored on four binary criteria. CISA publishes the answers to the last three for every CVE through its Vulnrichment program, which enriches each CVE record with these risk signals. One variable stays on you, and that's no accident.
EXPOSURE: Is the asset exposed? Reachable from outside via a routable IP. The only variable you have to determine yourself.
KEV: Exploited in the wild? Is the CVE in CISA's KEV catalog? It's proof of real, observed exploitation.
AUTOMATABLE: Can exploitation be automated? Can an attacker automate every step of the exploit? This gauges how weaponized it is.
TECHNICAL IMPACT: Total or partial control? Does exploitation grant total control of the system (down to credentials), or only limited control?
Assume the high case on 02, 03 and 04. With a public model, a decent pentester writes an exploit script in minutes, and wiring it into a full attack chain (privilege escalation, RCE, persistence, lateral movement, exfiltration) isn't much harder. In practice, treat "exploitable" and "automatable" as true by default. The variable that really makes the difference is the first one: your exposure.
The 16 possible combinations of the 4 variables fall into five remediation deadlines. Here's the logic:
The 5 remediation tiers of BOD 26-04
| Deadline | Trigger |
|---|---|
| 3 days + forensic | Vulnerability in the KEV granting total control. The most aggressive deadline a federal directive has ever imposed. Fixing isn't enough: you must also investigate and run a forensic analysis to check whether the system is already compromised. |
| 3 days | High-risk combinations, e.g. exposed asset + automatable exploit + total control, even if the CVE isn't in the KEV yet. |
| 14 days | Standard accelerated deadline for most KEV CVEs and several high-risk non-KEV combinations. |
| 60 days | Lower risk, e.g. non-exposed asset, automatable but partial control. |
| Next upgrade | No risk criterion met. Deferral tier: the flaw can wait for the next update cycle. |
Simplified version. CISA's official decision tree maps the 16 combinations of the 4 variables (exposure, KEV, automation, impact) onto these 5 tiers. Source: CISA, BOD 26-04.
Key point: the deadlines are dynamic. Pull a system off the internet and its deadline stretches; CISA adds the CVE to the KEV and it shortens immediately. Prioritization isn't a snapshot, it's continuous monitoring.
"Less, but better" in numbers. On a large federal agency analyzed by CISA, only 1% of vulnerability instances fall into the "3 days" bucket. Conversely, more than 60%are deferred to the next upgrade. The model is built to concentrate resources, not to drown them.
Two forces converge. First, traditional patching is losing ground. Per the Verizon 2026 DBIR cited by CISA:
26% of KEV CVEs fully remediated in 2025, down from 38% the year before.
43 d median time to fully resolve a vulnerability.
31% vulnerability exploitation, the leading initial access vector.
Then, AI. CISA openly acknowledges that it speeds up both the discovery and the weaponization of vulnerabilities, and compresses the gap between disclosure and exploitation. The directive even commits to reassessing its deadlines every year and tightening them if offensive capabilities advance. "3 days" isn't a destination. It's a starting point with a ratchet.
BOD 26-04 is likely the most pragmatic evolution in vulnerability management in recent years. However, it should not be viewed as a perfect solution. Several limitations should be kept in mind.
The KEV catalog remains reactive. A vulnerability may be exploited in the wild for several days before it is officially added to the CISA catalog. The KEV is an excellent prioritization signal, but it is not an early warning system.
The KEV primarily reflects the priorities of U.S. federal agencies. Certain business-critical technologies, industry-specific applications, or exposures unique to other environments may never appear in the catalog, even if they pose significant risk to your organization.
Three days can still be too long. For some Internet-facing vulnerabilities, the first exploitation attempts emerge within hours of a CVE's publication. In such cases, even the most aggressive remediation timeline defined by the directive may appear generous compared to the actual pace of attacks.
These limitations do not undermine the value of BOD 26-04. They simply serve as a reminder that no external prioritization framework can replace a thorough understanding of your attack surface and your organization's real-world exposure.
BOD 26-04 is only mandatory for US federal civilian agencies (Federal Civilian Executive Branch). But BOD 22-01's KEV catalog has become, in a few years, the most widely adopted prioritization signal in the world, well beyond the US government. This risk-based vulnerability managementmodel will likely follow the same path to de facto standard. Risk-based prioritization will become a market expectation.
More to the point, its logic converges with what NIS2 and DORAalready require in Europe: risk-based vulnerability management, continuous monitoring, and the ability to show that you treat what's genuinely exposed and exploited first. Aligning with this framework now is an advantage, not a constraint.
Putting this model to work means answering four questions, for every vulnerability, on every asset, continuously. Three answers come from threat intelligence (KEV, automation, impact). The fourth, exposure, is yours alone. And that's where most programs stall:
Inventory and mapping: do you really know your exposed assets — servers, applications, APIs, cloud services, AI agents, shadow IT?
External attack surface: do you know, at any given moment, what's reachable from the internet, including what you forgot you deployed?
Continuous monitoring: do you have a mechanism that detects when an asset just shifted from "internal" to "exposed" and adjusts its deadline accordingly?
This is the conviction we've held at Patrowl from the start, and already put into practice. External Attack Surface Management (EASM)continuously maps and monitors your real exposure, that variable 1 which is yours alone. Continuous Threat Exposure Management (CTEM) then correlates this exposure with exploitability and criticality signals, surfacing only what matters. Assessing this variable by hand, across thousands of assets and continuously, doesn't scale with analysts alone.
Let's be clear about what this changes, and what it doesn't. Risk-based prioritization patches nothing for you and fixes nothing on its own. It tells you where to look first, and how urgently. The job of an active verification layer is to produce the reliable, continuous exposure data the whole BOD 26-04 model depends on. Not to pretend it empties the queue.
A vulnerability rated critical on a monitored asset, and a clean illustration of the directive's logic:
Fortinet SSL-VPN — Pre-auth RCE (CVE-2023-27997)
Asset: VPN gateway exposed on the internet
✓Exposed — SSL-VPN portal, exposed by nature
✓Exploited — pre-auth RCE confirmed in the wild, bypasses MFA
✓Automatable — mass scanning of exposed interfaces, reproducible exploitation
✓Total impact — pre-auth RCE, CVSS 9.1 (rated by Patrowl)
On the BOD 26-04 matrix: patch within 3 days + forensic triage. The top tier.
The telling detail: this CVE dates from 2023. It isn't even a zero-day vulnerability, but a long-known flaw, exposed and actively exploited. That's the heart of the doctrine shift. An old, exposed, exploited asset comes before dozens of high-CVSS "criticals" that, without real exposure, put nothing at risk. Patrowl surfaced and qualified it because it falls under the one variable that's on you, exposure. And moved it to the front of the queue.
Without continuous attack surface mapping, this asset would have stayed a blind spot. You can't meet a 3-day deadline on a gateway you didn't know was exposed. That's what Patrowl's EASM closes. Once the asset is qualified, tracking it against an SLA puts the BOD 26-04 graduated-deadline logic into practice.
This model is only as good as the data feeding it. CISA's Vulnrichment program currently covers only a fraction of CVEs with SSVC data, around half according to third-party sources. For the rest, automation and technical impact are left for you or a vendor to assess. Poorly fed, risk-based prioritization mostly delivers a false sense of control. The framework is solid, but it doesn't excuse you from reliable, continuous exposure data.
Our current processes can't keep pace, and patching everything is no longer an option. BOD 26-04 marks a doctrine shift: patch less, but better. First what's exposed, exploited, and critical to your business. Risk-based prioritization is no longer a nice-to-have. It's a condition for resilience.
Frequently asked questions
Source: CISA, BOD 26-04: Prioritizing Security Updates Based on Risk (06/10/2026). Remediation data: Verizon 2026 DBIR. Field data: CISA analysis of one federal agency.
