CISA issued Binding Operational Directive 26-04, “Prioritizing Security Updates Based on Risk,” on June 10, with implementation guidance following on June 11. It revokes both BOD 19-02 (2019) and BOD 22-01 — the 2021 directive that created the KEV catalog’s remediation deadlines. The flat “it’s in KEV, patch within the due date” model is gone. In its place: risk-computed deadlines as short as three calendar days, with mandatory compromise assessment bolted on.

How the new model works

Every vulnerability on a federal civilian (FCEB) system gets scored on four binary criteria:

  1. Asset exposure — is the vulnerable asset reachable from the internet?
  2. KEV status — is the CVE in CISA’s Known Exploited Vulnerabilities catalog?
  3. Exploit automation — can exploitation be fully automated?
  4. Technical impact — does exploitation yield total control of the asset, or partial?

The answers map to four remediation bands: three calendar days for the worst combinations, 14 days, 60 days, or defer to the next scheduled major upgrade for the lowest tier.

The three-day band carries a second requirement that matters more than the deadline: agencies must perform forensic triage of the affected asset — scope the exposure, collect evidence, contain, and analyze to determine whether the system was already compromised before escalating to incident response. Patching alone no longer closes the ticket. For internet-facing KEV flaws with automated exploitation, federal policy now assumes you were potentially popped before you patched.

Rollout deadlines: agencies must update vulnerability management policies immediately, update remediation processes within 60 days, and fully meet the new timelines within 180 days.

Why CISA did this

The flat KEV deadlines were calibrated for a slower era. CISA’s own framing cites the collapse of exploitation timelines — mass exploitation now routinely begins within hours of disclosure (and per Black Kite’s 2026 data, an average of seven days before public disclosure), driven partly by AI-assisted exploit development. A 14-day SLA on an internet-facing edge device with a wormable, automatable exploit is functionally a decision to get owned. The four-factor model concentrates the urgency where the actual risk is — which, judging by this year’s KEV additions (PAN-OS, Cisco SD-WAN, Ivanti EPMM, FortiClient EMS), means edge and management-plane gear lands in the three-day band constantly.

Who’s affected

Directly: FCEB agencies only. Practically: almost everyone. KEV due dates became the de facto private-sector patching SLA — they’re embedded in scanner dashboards, MSSP contracts, cyber insurance questionnaires, and board reporting. Vendors like Tenable are already shipping BOD 26-04 FAQ content. Expect the four-factor model to propagate into FedRAMP expectations, federal contract flow-downs, and “industry standard practice” arguments within the year. If your patch policy says “KEV = 15 days,” it is now slower than the federal baseline for the highest-risk class.

What to do now

  • Get exposure data into your vuln management pipeline. The model is unusable if you can’t answer “is this asset internet-facing?” per CVE. Tag external attack surface in your inventory now.
  • Build the three-day path before you need it. That means pre-approved emergency change windows for edge devices, VPNs, and management planes — the asset classes that hit all four criteria most often.
  • Add compromise assessment to patch runbooks. For internet-facing KEV patches, check for webshells, rogue admin accounts, and config drift before closing the ticket. Patch-and-pray is now formally insufficient.
  • Note the units: calendar days, not business days. A Friday KEV addition means a Monday deadline.

Full directive text and the implementation guidance are on CISA’s site: BOD 26-04 and implementation guidance. Additional coverage: CyberScoop, Dark Reading.