The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new risk-based approach to vulnerability remediation, requiring federal civilian agencies to patch the most dangerous cyber vulnerabilities within 72 hours. Announced through Binding Operational Directive (BOD) 26-04, the new CISA vulnerability management directive replaces older remediation requirements with a framework designed to prioritize vulnerabilities that pose the greatest risk to government systems.
The move comes as cybersecurity officials warn that artificial intelligence is helping threat actors identify and exploit security flaws faster than ever before. The directive aims to improve federal cyber resilience while ensuring agencies focus resources on threats most likely to be exploited.
New Risk-Based Model for Vulnerability Remediation
Under the directive, federal civilian agencies must evaluate vulnerabilities against four key criteria:
According to CISA officials, vulnerabilities meeting three of these four conditions will face accelerated remediation deadlines.
The strictest requirement applies to vulnerabilities that are actively exploited, can be automated, and…
