Skip to main content

no-cost Cyber Services Secure by design Secure Your Business Shields Up Report A Cyber Issue

Share:

Share to FacebookShare to XShare to LinkedinShare to Email

Binding Operational Directives

BOD 26-04: Prioritizing Security Updates Based on Risk

June 10, 2026

Related topics:

Cybersecurity Best Practices

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 26-04: Prioritizing Security Updates Based on Risk.

A Binding Operational Directive is a compulsory direction to federal, executive branch, departments, and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives to implement cybersecurity policies, principles, standards, and guidelines issued by the Director of the Office of Management and Budget (OMB). Federal agencies are required to comply with these directives under 44 U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of War or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.

Background

The United States faces persistent, increasingly sophisticated malicious cyber campaigns that threaten the public sector, private sector, and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise.

Cyber threat actors exploit unpatched vulnerabilities, and their use of AI may further narrow the time defenders have to react between patch release and possible exploitation. As a result, we must take immediate action to harden American networks and ensure our cybersecurity practices, including our policies for applying patches, address modern and increasingly sophisticated cyber threats. This approach focuses patching efforts on the areas of highest risk rather than treating all vulnerabilities and systems equally.

Known exploited vulnerabilities are a frequent attack vector for malicious cyber actors, including those backed by nation-states that aim to compromise U.S. critical infrastructure to steal sensitive information, disrupt operations, and undermine national security. These vulnerabilities pose significant risk to agencies and the federal enterprise.

In 2021 CISA established the Known Exploited Vulnerabilities catalog pursuant to BOD 22-01, which directed agencies to aggressively remediate known exploited vulnerabilities (KEVs), protect federal assets, and reduce cyber incidents. This Directive evolves upon CISA’s KEV catalog and increases mission readiness across the federal government by efficiently prioritizing high-risk vulnerabilities for timely action, while deferring action against low-risk vulnerabilities. The urgency of vulnerability remediation (see Table 1: Remediation Timelines) is determined based on the following variables:

1. Asset Exposure: Is the vulnerable asset publicly exposed?
2. KEV Status: Is the vulnerability, as identified by a common vulnerabilities and exposures identifier (CVE ID), on CISA’s Known Exploited Vulnerabilities Catalog?
3. Exploit Automation: Is an adversary able to automate all the steps necessary to exploit the vulnerability?
4. Technical Impact: Does an adversary gain partial control or total control of the vulnerable asset after exploitation of the vulnerability?

CISA publishes answers to KEV Status, Exploit Automation, and Technical Impact for every CVE ID through services such as the Vulnrichment Program. Agencies should follow CISA’s Internet Exposure Reduction Guidance to answer Asset Exposure and determine if the vulnerable asset is publicly exposed. Additionally, CISA developed Implementation Guidance: Prioritizing Security Updates Based on Risk to support agencies in implementing this Directive.

The requirements in this Directive align with Office of Management and Budget (OMB) Circular A-130: 1 Managing Information as a Strategic Resource, which establishes policy for the management of federal information resources. It emphasizes robust vulnerability management practices, continuous monitoring requirements, and coordination with CISA pursuant to the Federal Information Security Modernization Act (FISMA) of 2014. 2 This Directive also advances priorities for securing federal government networks set forth in Executive Order (EO) Promoting Advanced Artificial Intelligence Innovation and Security 3 and the Cyber Strategy for America. The actions outlined in this Directive are critical first steps to more aggressively fortify federal assets and mitigate the risk of cyber incidents. This Directive supersedes and hereby revokes BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible System s (April 29, 2019), and BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities (Nov. 3, 2021). This Directive consolidates and clarifies vulnerability remediation guidelines for federal agencies addressing cybersecurity vulnerabilities.

Definitions for the purposes of this Directive:

• Asset: Hardware or software items that make up an information system. 4
• Publicly exposed: Any agency-owned or agency-managed IT resource accessible to unauthenticated or untrusted entities via public networks, such as the internet, regardless of its physical or logical location.
• Partial control: 5 One of the following is true: The exploit gives the threat actor limited control over, or information exposure about, the behavior of the software that contains the vulnerability; or the exploit gives the threat actor a low stochastic opportunity for total control. In this context, “low” means that the threat actor cannot reasonably make enough attempts to overcome obstacles, either physical or security-based, to achieve total control. A denial-of-service attack is a form of limited control over the behavior of the vulnerable component.
• Total control: 6 The exploit gives the adversary total control over the behavior of the software, including if the exploit reliably reveals log-in credentials.

Scope

This Directive applies to agency assets in any “federal information system,” defined in Circular A-130 as an information system—used or operated by an agency or by another entity on behalf of an agency—that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. Unless directed by the governing procurement contract, this Directive does not apply to contractors, but FCEB agencies must review all contracts to determine what modifications are necessary to comply with the required actions of this Directive, in consultation with the Contracting Officer.

For federal information systems hosted in third-party environments, including Federal Risk and Authorization Management Program (FedRAMP) certified environments, each agency is responsible for maintaining an inventory of those systems, obtaining status updates pertaining to this Directive, and ensuring compliance with its requirements through collaborative continuous monitoring.

For FedRAMP certified cloud service offerings, agencies must work through the FedRAMP PMO to ensure compliance with this Directive. For cloud offerings that are not FedRAMP certified agencies must work directly with their Cloud Service Providers (CSPs) to ensure that the supporting CSP infrastructure follows the same requirements from this directive and that all deviations are properly documented and communicated with the customer agency.

All other provisions specified in this Directive remain applicable.

Required Actions

Phase I – Effective immediately, agencies shall:

1. Review and, as appropriate, update agency vulnerability management policies in accordance with this Directive and revise procedures as necessary to implement those updated policies. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, agency policies must:

2. Establish a process for ongoing remediation of vulnerabilities that CISA identifies, through inclusion in the KEV catalog, as carrying significant risk to the federal enterprise within a time frame set by CISA pursuant to this Directive.

3. Assign roles and responsibilities for executing agency actions as required by this Directive.

4. Define necessary actions required to enable prompt response to requirements of this Directive.

5. Establish internal validation and enforcement procedures to ensure adherence with this Directive.

6. Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as requested.

7. Monitor KEV catalog updates and aggressively mitigate vulnerabilities in accordance with the KEV remediation timelines.

8. Automate reporting on the status of vulnerabilities listed in the KEV catalog via automated reporting through the Continuous Diagnostics and Mitigation (CDM) Dashboard.

9. Agencies that have not fully automated their vulnerability reporting through the CDM Program must manually report their status on a bi-weekly basis.

10. Continue Cyber Hygiene scanning.

11. Remove Cyber Hygiene source IP addresses from blocklists.

12. Once per quarter, or upon a request from CISA, update/attest your agency’s publicly exposed IP addresses and agency-owned domain names via the Cyber Hygiene scope change process. This attestation shall include any changes to the IP addresses, domain names, and a list noting all asset additions and/or removals made from the previous quarter.

13. Upon request from CISA, submit updated Cyber Hygiene acceptance letters through designated channels.

Phase II – Within 60 days of issuance:

5. Update agency vulnerability management processes and procedures to support ongoing vulnerability remediation based on the vulnerabilities identified in the CVE database(link is external) (or a service that provides the same data) and the KEV catalog. As required by Required Action 1, agencies will provide a copy of their updated vulnerability management policies and procedures if requested by CISA.

Phase III – Within 180 days of issuance:

6. Remediate each vulnerability as quickly as possible and no later than the timelines set forth in Table 1: Remediation Timelines.

7. Continuously identify and tag all agency-owned assets that can be reached from outside the agency network and using a routable IP address.

8. Agencies that have not fully automated their vulnerability reporting through the CDM Program must regularly report this information to CISA every seven days using a CISA-approved, machine-readable format and following CISA reporting instructions.

9. Tags must include the following information:

   1. Organization and sub-organization (agency/sub-agency)
   2. Environment (prod/dev)
   3. Exposure (public/internal)
   4. Asset type (server, application, or network device)

10. Agencies shall ensure that all assets reported in the CDM Federal Dashboard—including workstations, servers, mobile devices, cloud assets, printers, and other networked assets— include all associated IP addresses, including RFC 1918 (IPv4) or RFC 4193 (IPv6) private IP addresses.

CISA Actions:

1. Maintain the KEV catalog at cisa.gov/known-exploited-vulnerabilities-catalog and alert agencies of updates for awareness and action. Update the catalog as quickly as possible and ensure it can publish updates at a pace that matches the rate at which CISA identifies new KEVs.
2. Maintain the conditions for including vulnerabilities in the KEV catalog at cisa.gov/known-exploited-vulnerabilities.
3. Provide vulnerability metadata to the CVE database via the Authorized Data Publisher mechanism, 7 such as currently provided by the Vulnrichment Program.
4. Maintain guidance on actions that qualify as an adequate “forensic triage” pursuant to this Directive and the Implementation Guidance or as shared in a relevant KEV entry-specific Notes field.
5. Provide regular reports to federal agencies on Cyber Hygiene scanning results and status of vulnerable systems according to timelines defined in Table 1: Remediation Timelines inAppendix A: Vulnerability Response Timeline.
6. Within 60 days CISA will publish data requirements, outlining how agencies should supply machine-level asset tagging information using a standardized data schema.
7. As necessary, following the issuance of this Directive, CISA will review this Directive to account for changes in the general cybersecurity landscape and, as necessary, update the Implementation Guidance to incorporate additional best practices for federal information systems.
8. Conduct a formal, data-driven reassessment of the prioritization timelines defined in Table 1: Remediation Timelines, once per fiscal year. Continually conduct case study assessments to determine whether technological or adversarial advances warrant further reductions in timelines.
9. By the end of each fiscal year, provide a status report to the Secretary of Homeland Security, the Director of OMB, and the National Cyber Director identifying cross-agency status and outstanding issues in the implementation of this Directive.
10. Provide additional guidance to agencies via the CISA website, emergency directives, and individual engagements upon request via CyberDirectives@cisa.dhs.gov.

Additional Information

Visit cisa.gov/news-events/directives or contact the following for:

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov(link sends email)
• Reporting indications of compromise – central@cisa.dhs.gov(link sends email)

Useful resources:

• View CISA’s Known Exploited Vulnerabilities Catalog.

• Sign up for email updates(link is external) to receive alerts when vulnerabilities are added to the KEV catalog.

• Learn more about:

  • CISA’s Cyber Hygiene Services.
  • Stakeholder-Specific Vulnerability Categorization (SSVC)(link is external).
  • CISA triages vulnerabilities using this information.
  • Criteria for Known Exploited Vulnerabilities.

• View metadata on CVE IDs published through CISA’s Vulnrichment Program(link is external).

Appendix A: Vulnerability Response Timeline

Federal agencies shall remediate vulnerabilities based on the timelines detailed in Table 1: Remediation Timelines.

Table 1: Remediation Timelines is informed by the SSVC system, which provides the cyber community with a vulnerability analysis methodology that accounts for a vulnerability's exploitation status, impacts to safety, and prevalence of the affected product in a singular system.

Technical impact depicts how much post-exploitation control an adversary gains over the affected asset and is similar to the Common Vulnerability Scoring System (CVSS) base score’s concept of “severity.” When evaluating technical impact, the definition of scope is particularly important.

• Table 1: Remediation Timelines

1Starred (*) are elements CISA provides to the CVE database through CISA’s Vulnrichment Program(link is external) for every vulnerability with a CVE ID.

2 Daggered (†) elements may be provided by the CISA Cyber Hygiene program to participating agencies or may be collected or provided by third-party asset management or vulnerability management services or scanners.

The terms in the table have the following meanings:

1. Days are calendar days.
2. CISA identifies a cybersecurity vulnerability by its CVE ID.
3. For each asset detected to contain an instance of a CVE ID, the vulnerability shall be remediated (that is, the vulnerability is eliminated through patching, decommissioning the system, or another action) 8 within the timeline defined in Table 1: Remediation Timelines.
4. The text “& forensic triage” means that the agency must complete remediation or mitigation action within the timeline (three days) and carry out a forensic triage of the asset to assess whether the system is compromised. An adequate forensic triage follows the Forensic Triage Guidance in the Implementation Guide. 9
5. The timelines for each asset are dynamic as facts change. For example, one valid mitigation is to remove the system from the internet; that action changes the value of “Publicly Exposed” from Yes to No and will shift the required timeline for further action, such as remediation, back. However, if CISA adds a vulnerability to the KEV that was not in the KEV, the timeline for action will shorten according to Table 1.
6. The timelines defined in Table 1 begin when either (1) CISA adds the vulnerability to the KEV catalog, or (2) pursuant to BOD 23-01, the agency enumerates or identifies the vulnerability on an asset and updates the Continuous Diagnostics and Mitigation (CDM) Program Agency and Federal Dashboard. Whichever event occurs first starts the remediation timeline.
7. Fix on system upgrade means that, unless conditions change as described in item (e) above, the vulnerability should be remediated the next time the vulnerable asset receives a scheduled major upgrade or rebuild.
8. In the KEV is defined as the CVE ID having an entry in the KEV Catalog. The criteria for CISA to include a vulnerability in the KEV catalog remain unchanged.
9. Publicly Exposed is defined as Yes if the asset in scope of this directive is accessible to unauthenticated or untrusted entities via public networks, such as the internet, regardless of its physical or logical location; the value is No otherwise. CISA or agencies may use multiple overlapping systems to determine whether an asset or set of assets are publicly exposed (such as CISA’s CDM Program and Cyber Hygiene services). If one such method finds that a system is publicly exposed, the value for the decision point should be set to Yes.
10. Automatable by Adversary (shorted as “ Automatable”) and “ Technical Impact” are defined as documented by the Vulnrichment Program(link is external); specifically, the definitions currently used by the Vulnrichment Program are as documented in the GitHub CERTCC/SSVC(link is external).

Table 1 is equivalent to the following figure:

---

1 https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource

2 https://www.congress.gov/bill/113th-congress/senate-bill/2521/all-info

3 https://www.whitehouse.gov/presidential-actions/executive-orders/

4 The unit of work for patching as defined in NIST SP 800-40 Rev 4

5 https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf

6 https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf

7 https://www.cve.org/ProgramOrganization/ADPs(link is external)

8The definition and use of “remediation” is intentionally consistent with (1) U.S. Department of Defense (DoD) Instruction 8531.01: DoD Vulnerability Management, Sep 15, 2020; (2) The National Institute of Standards and Technology (NIST) special publication 800-53 rev 5; and (3) NIST special publication 800-216.

9 For example, see CISA's Voluntary Cyber Incident Reporting webpage, CISA's Incident Reporting System, CISA's Response Playbooks, NIST's Special Publication 800-61 Rev. 3, and NIST's Special Publication 800-86.

Tags

Topics: Cybersecurity Best Practices

Related Directives

Jun 10, 2026

Binding Operational Directive

BOD 26-04: Implementation Guidance for Prioritizing Security Updates Based on Risk

Jun 10, 2026

Binding Operational Directive

BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems (Revoked)

Jun 10, 2026

Binding Operational Directive

BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities (Revoked)

Feb 05, 2026

Binding Operational Directive

BOD 26-02: Mitigating Risk From End-of-Support Edge Devices

Read Original at CISA (.gov) →