Full Report
CISA issued BOD 26-04, which replaces BOD 22-01 with a four-variable vulnerability prioritization model requiring federal agencies to patch the most dangerous vulnerabilities in as few as three days.Key takeawaysBOD 26-04 replaces BOD 22-01 with a four-variable risk model that assigns graduated remediation timelines, from as few as three days with mandatory forensic triage for the most dangerous vulnerabilities to full deferral for the lowest-risk ones, ending the era of flat, one-size-fits-all patching deadlines for federal agencies. The transition represents a significant operational lift at a time when AI is compressing the window between vulnerability disclosure and weaponization, and industry remediation rates are declining: only 26% of KEV vulnerabilities were fully remediated in 2025 according to the 2026 Verizon DBIR, down from 38% the prior year. Organizations that have invested in continuous asset discovery, risk-based prioritization, and exposure management are well positioned to operationalize the directive’s four-variable model. Those still relying on periodic scanning and CVSS-based prioritization face a significant gap between current capability and compliance requirements.Background on CISA BOD 26-04On June 10, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04, “Prioritizing Security Updates Based on Risk.” BOD 26-04 represents a fundamental shift in how federal agencies are expected to manage vulnerabilities. Rather than treating every known exploited vulnerability (KEV) with the same remediation deadline, the new directive introduces a graduated model that accounts for asset exposure, exploitation evidence, adversary automation capability, and technical impact severity. The result is a 16-tier remediation matrix where the most dangerous vulnerabilities must be patched within three days (with mandatory forensic triage), while lower-risk vulnerabilities can be deferred to the next system upgrade cycle.Tenable applauds this directive, which replaces both BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities, November 2021) and BOD 19-02 (Vulnerability Remediation Requirements for Internet-Accessible Systems, April 2019). It is directionally correct in Tenable’s view, and it represents a significant improvement upon its predecessors, as it consolidates seven years of federal vulnerability remediation policy into a single, risk-weighted framework. More importantly, it aligns with the risk-based, exposure-driven approach to vulnerability management that Tenable has championed as the originator of the exposure management paradigm. For years, Tenable’s Research Special Operations (RSO) team has maintained the position that defenders must move beyond volume-based patching toward intelligent prioritization grounded in real-world exploitation evidence, asset context, and threat actor intelligence. BOD 26-04 codifies that position as federal policy.Frequently asked questions about BOD 26-04What is BOD 26-04?BOD 26-04 is a binding operational directive from CISA that requires all Federal Civilian Executive Branch (FCEB) agencies to prioritize vulnerability remediation based on a four-variable risk model. Unlike its predecessor BOD 22-01, which assigned flat remediation timelines to all vulnerabilities in the KEV catalog, BOD 26-04 evaluates each vulnerability against four criteria and assigns a remediation deadline based on the specific combination of risk factors present.The directive is mandatory for federal agencies but not for the private sector. However, CISA explicitly encourages private sector adoption, and the track record of BOD 22-01 suggests the framework will become a de facto standard across industries. BOD 22-01’s KEV catalog is already used by organizations worldwide as a prioritization signal, and BOD 26-04’s more sophisticated model will likely follow the same adoption curve.What are the four variables?BOD 26-04 determines remediation urgency using four binary variables:Publicly exposed - Is the vulnerable asset reachable from outside the agency network via a routable IP address? This is the only variable agencies must determine themselves.In the KEV - Is the CVE listed in CISA’s Known Exploited Vulnerabilities catalog? This confirms real-world exploitation.Automatable by adversary - Can an attacker automate all the steps necessary to exploit the vulnerability? This assesses weaponization maturity.Technical impact - Does exploitation give attackers total control of the affected system or only partial control?CISA publishes the answers to variables two, three, and four for every CVE through its Vulnrichment Program. Agencies must determine variable one (public exposure) using their own asset inventory and CISA’s Internet Exposure Reduction Guidance.What are the remediation timelines?Table 1 in Appendix A of the directive maps all 16 possible combinations of the four binary variables to specific remediation deadlines across five tiers:Three days with forensic triage - Required when a vulnerability is in the KEV and yields total system control (regardless of whether the asset is publicly exposed or the exploit is automatable). This is the most aggressive vulnerability management timeline in federal directive history. The forensic triage component requires agencies to assess whether their systems have already been compromised.Three days (without forensic triage) - Required for certain high-risk combinations, such as a publicly exposed asset with an automatable vulnerability yielding total control, even if the CVE is not yet in the KEV.14 days - The standard accelerated timeline for most KEV-listed vulnerabilities and several high-risk non-KEV combinations.60 days - Applied to lower-risk combinations, such as non-exposed assets with automatable but partial-control vulnerabilities.Fix on system upgrade - Applied when no risk criteria are met. This is the deferral tier, and it represents a significant operational relief for agencies: vulnerabilities that meet none of the four criteria can wait for the next scheduled upgrade cycle.Timelines are dynamic. If an agency removes a system from public internet exposure, the applicable timeline shifts to a longer window. Conversely, if CISA adds a vulnerability to the KEV catalog, the remediation timeline accelerates immediately.In an initial analysis at one large civilian agency, CISA found that only 1% of vulnerability instances fell into the three-day category, while over 60% qualified for deferral to the next system upgrade. The model is designed to focus resources, not overwhelm them.What changed from BOD 22-01?BOD 26-04 revokes and replaces BOD 22-01 entirely. The key differences are substantial:BOD 22-01 applied a flat remediation timeline to every vulnerability in the KEV catalog (14 days for CVEs assigned after 2021, six months for older CVEs). BOD 26-04 replaces this with a graduated model where KEV status is one of four variables, not the sole determinant of urgency. A KEV vulnerability on an internal system with partial control and no automation capability now receives 14 days, while the same KEV on a publicly exposed system with full automation and total control receives just three days with mandatory forensic triage.BOD 22-01 had no deferral mechanism. Every KEV required action. BOD 26-04 introduces the “fix on system upgrade” tier for vulnerabilities that meet none of the four risk criteria, allowing agencies to focus on the ones that matter most rather than chasing every vulnerability with equal urgency.BOD 22-01 had no forensic triage requirement. BOD 26-04 introduces mandatory forensic analysis for the highest-risk tier, recognizing that when a vulnerability is actively exploited and yields total system control, patching alone is insufficient: organizations need to determine whether they’ve been compromised.The underlying methodology also shifts. BOD 22-01 relied primarily on the KEV catalog and CVSS scoring. BOD 26-04 is informed by CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) system, which provides a more nuanced, risk-informed vulnerability analysis methodology.Why did CISA issue BOD 26-04 now?Two converging factors drove the directive. The first is the deteriorating effectiveness of traditional vulnerability management. Citing the 2026 Verizon Data Breach Investigations Report, CISA’s blog post accompanying the directive notes that only 26% of KEV-listed vulnerabilities were fully remediated by organizations in 2025, a decline from 38% the previous year. Meanwhile, the median time to fully resolve vulnerabilities rose to 43 days. In an environment where exploitation can occur within hours of disclosure, the remediation gap is widening.The second factor is artificial intelligence. CISA explicitly states that AI is accelerating both vulnerability discovery and weaponization, narrowing the window of time that exists between vulnerability disclosure and exploitation. The directive aligns with priorities in the recent AI Executive Order, Promoting Advanced Artificial Intelligence Innovation and Security. As AI-enabled tools make it easier for adversaries to identify, weaponize, and deploy exploits at scale, the traditional “patch everything eventually” approach becomes untenable. Defenders need a framework that tells them what to patch first, and BOD 26-04 provides the framework enabling them to prioritize on an accelerated timeframe.This is a challenge Tenable’s Research Special Operations (RSO) team has been tracking closely. The intersection of an AI-enabled threat landscape with already-declining remediation effectiveness creates a compounding problem: adversaries are getting faster while defenders fall farther behind. BOD 26-04 is a necessary policy response to this environment.I don’t work for a federal agency. How does BOD 26-04 affect my organization?While BOD 26-04 is mandatory only for FCEB agencies, its influence extends well beyond the federal government. BOD 22-01’s KEV catalog became the most widely adopted vulnerability prioritization signal in the industry, used by private sector organizations, state and local governments, critical infrastructure operators, and international allies. BOD 26-04’s four-variable model will likely follow the same trajectory.Organizations should evaluate the directive’s framework as a model for their own exposure management programs. The four variables (asset exposure, exploitation evidence, automation potential, and technical impact) represent a defensible, data-driven approach to prioritization that any organization can adopt. For organizations in regulated industries, federal supply chains, or critical infrastructure sectors, aligning with BOD 26-04’s framework before it becomes an industry expectation is a strategic advantage.What will this transition require from agencies and organizations?This directive represents a significant operational lift. BOD 22-01 was conceptually simple: if a CVE is in the KEV, patch it within the specified window. BOD 26-04 requires agencies to operationalize a four-variable decision model, which means they need answers to four questions for every vulnerability on every asset in their environment, and they need those answers continuously.The compliance deadlines are aggressive. Agencies must immediately update their vulnerability management policies. Within 60 days (approximately August 2026), they must update their processes for remediating common vulnerabilities per the new tiered model. Within 180 days (approximately December 2026), they must meet the full remediation timelines defined in Table 1. CISA will also publish machine-level asset tagging data requirements within 60 days.The most demanding new requirement is the combination of continuous asset exposure identification (variable one) with dynamic timeline tracking. An asset that moves from internal to publicly exposed shifts its remediation deadline immediately. An agency that cannot maintain real-time visibility into which assets are internet-facing cannot comply with the directive’s graduated and dynamic timelines.This is where the right technology platform makes the difference. Organizations that have invested in continuous asset discovery, risk-based vulnerability prioritization, and exposure management capabilities are positioned to operationalize BOD 26-04 efficiently. Those still relying on periodic scanning and CVSS-based prioritization face a significant gap between their current capabilities and what the directive demands.How does BOD 26-04 relate to the AI threat landscape?BOD 26-04 arrives at a critical moment. Artificial intelligence is accelerating adversaries' workflows at every stage: vulnerability discovery, exploit development, target selection, and operational execution. CISA acknowledges this directly, citing AI-driven vulnerability discovery as a motivating factor for the directive.The implications are sobering. The 2026 Verizon DBIR data shows defenders already falling behind even at the current pace of vulnerability exploitation. As AI compresses the time from vulnerability disclosure to weaponization, the 43-day median remediation time becomes not just inadequate but dangerous. Agencies and organizations implementing BOD 26-04 will be doing so against a backdrop of accelerating threat velocity.The operational reality is that manually evaluating four variables across thousands of vulnerabilities on thousands of assets, on a continuous basis, does not scale with human analysts alone. The organizations best positioned to meet BOD 26-04’s accelerated timelines will be those whose platforms can ingest Vulnrichment data, correlate it against asset exposure in real time, and surface the vulnerabilities that require three-day action versus those that can wait for the next upgrade cycle. The parallel challenge is real: organizations must simultaneously transition to a new compliance framework and adapt to a threat landscape that is evolving faster than their current processes can handle. The organizations best positioned to succeed are those with platforms that already operationalize risk-based prioritization, continuous asset discovery, and AI-assisted decision-making.What should organizations do now?Organizations should take three immediate steps:Audit your current vulnerability management posture against the four-variable model. Can you identify which assets are publicly exposed? Do your tools integrate KEV status into prioritization decisions? Can you assess exploit automation potential and technical impact for the vulnerabilities in your environment? If you can answer these questions today, you are well positioned for BOD 26-04. If you cannot, the 60-day process update deadline creates urgency.Prepare for the BOD 22-01 to BOD 26-04 transition. If your organization has built compliance workflows around BOD 22-01, those workflows reference a revoked directive. Begin updating policies, dashboards, and reporting to reflect the four-variable model. The immediate policy update requirement means this work should start now, not at the 60-day mark.Assess your forensic triage readiness. For the highest-risk tier (KEV + total control), BOD 26-04 requires agencies to conduct forensic triage alongside remediation within three days. This means organizations need the ability to identify not just what is vulnerable, but what may already be compromised. Evaluate whether your current tooling provides the threat attribution and detection context needed to support forensic triage.Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about the Tenable One Exposure Management Platform.Learn moreCISA BOD 26-04: Prioritizing Security Updates Based on RiskJune 2026 AI Executive Order: What federal agencies need to know and how Tenable can helpCISA: Patch Smarter, Not HarderCISA Known Exploited Vulnerabilities CatalogVerizon 2026 Data Breach Investigations Report
Analysis Summary
# Regulation/Compliance: CISA BOD 26-04
## Overview
Binding Operational Directive (BOD) 26-04, “Prioritizing Security Updates Based on Risk,” establishes a new, graduated framework for vulnerability remediation. It replaces the previous one-size-fits-all 14-day deadline with a 16-tier risk matrix based on four specific variables. This directive aims to address the narrowing window between vulnerability disclosure and weaponization—driven largely by AI—by forcing agencies to focus on the most critical exposures.
## Key Details
- **Issuing Authority:** Cybersecurity and Infrastructure Security Agency (CISA)
- **Effective Date:** June 10, 2026
- **Jurisdiction:** Federal Civilian Executive Branch (FCEB) agencies
- **Status:** Final / In Effect (replaces BOD 22-01 and BOD 19-02)
## Requirements
### Mandatory Requirements
1. **Four-Variable Risk Assessment:** Agencies must evaluate every vulnerability against:
- **Public Exposure:** Is the asset reachable via a routable IP? (Agency determined).
- **KEV Status:** Is it in the Known Exploited Vulnerabilities catalog? (CISA provided).
- **Automation:** Can an attacker automate the exploitation? (CISA provided).
- **Technical Impact:** Does it yield total or partial system control? (CISA provided).
2. **Tiered Remediation:** Adhere to remediation timelines ranging from 3 days to "fix on system upgrade."
3. **Forensic Triage:** Conduct mandatory forensic analysis for the highest-tier vulnerabilities (KEV + Total Control) within 3 days to check for existing compromise.
4. **Dynamic Tracking:** Immediate acceleration of remediation timelines if CISA adds a vulnerability to the KEV or if an asset is moved to a public-facing network.
### Recommended Practices
1. **Private Sector Adoption:** CISA encourages non-federal organizations to adopt the four-variable model as a de facto standard for exposure management.
2. **Continuous Asset Discovery:** Investing in tools that provide real-time visibility into internet-facing exposure to meet dynamic compliance windows.
## Affected Organizations
- **Industries:** Federal Civilian Executive Branch (FCEB); indirectly affects federal supply chains and critical infrastructure.
- **Organization Size:** All FCEB agencies regardless of size.
- **Geographic Scope:** United States federal government.
## Compliance Timeline
- **June 10, 2026:** Directive issued; immediate update of vulnerability management policies required.
- **August 2026 (approx.):** Deadline (60 days) to update operational processes and remediate vulnerabilities per the tiered model.
- **December 2026 (approx.):** Full compliance (180 days) required for all remediation timelines defined in the directive.
## Implementation Guidance
### Assessment Phase
- Identify all assets and determine which are "publicly exposed" versus internal.
- Audit current vulnerability management workflows to see if they can digest CISA's "Vulnrichment" data.
### Implementation Phase
- Integrate CISA’s Vulnrichment feeds (Automation and Technical Impact variables) into security dashboards.
- Update internal Service Level Agreements (SLAs) to reflect the 3-day, 14-day, and 60-day windows.
### Validation Phase
- Execute forensic triage protocols for the 1% of vulnerabilities likely to fall in the highest-risk tier.
- Monitor CISA machine-level asset tagging requirements (to be published by August 2026).
## Technical Requirements
- **Automated Prioritization:** Ability to correlate internal asset context (exposure) with external threat intelligence (KEV, automation potential).
- **Forensic Capability:** Tooling required to conduct "triage" (compromise assessment) within the 72-hour window for critical CVEs.
## Penalties & Enforcement
- **Fines:** Not applicable to federal agencies in a traditional sense.
- **Other Consequences:** Reputational risk, loss of authority to operate (ATO), and potential intervention by CISA under its directive authority.
- **Enforcement:** CISA monitors agency compliance through the Continuous Diagnostics and Mitigation (CDM) program and federal dashboards.
## Related Standards
- **BOD 22-01 & BOD 19-02:** Both are revoked and replaced by BOD 26-04.
- **SSVC (Stakeholder-Specific Vulnerability Categorization):** The underlying methodology for BOD 26-04.
- **AI Executive Order (June 2026):** Aligns with federal mandates to secure AI-accelerated threat landscapes.
## Resources
- **Official Documentation:** [cisa[.]gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk]
- **Guidance Documents:** CISA Internet Exposure Reduction Guidance.
- **Catalog:** CISA Known Exploited Vulnerabilities (KEV) Catalog.
## Practical Recommendations
- **Automate Variable 1:** Use Attack Surface Management (ASM) tools to determine "Public Exposure" automatically; manual spreadsheets cannot keep up with a 3-day deadline.
- **Shift Policy Now:** Move away from CVSS-only scoring, as BOD 26-04 can grant deferrals ("Fix on Upgrade") for high-CVSS items that lack real-world risk factors.