WASHINGTON—The Cybersecurity and Infrastructure Security Agency has issued a new directive requiring federal civilian agencies to overhaul how they prioritize software vulnerabilities, directing them to focus remediation efforts on the systems that pose the greatest cybersecurity risk.
The new Binding Operational Directive 26-04 replaces and updates earlier federal vulnerability-management requirements by requiring agencies to evaluate security flaws based on four factors: asset exposure, known exploited vulnerability status, exploit automation and the potential technical impact of a successful attack. CISA said the approach is designed to help agencies concentrate resources on the most dangerous vulnerabilities while reducing unnecessary patching efforts.
The agency said the directive reflects a threat environment in which cybercriminals and nation-state actors increasingly exploit unpatched vulnerabilities and may use…
