The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-04, establishing new deadlines for vulnerability remediation for government civilian institutins and introducing a risk-based framework for prioritizing remediation activities.
CISA stated that defenders have faced ongoing challenges in keeping pace with vulnerability patching because of the frequency of newly identified vulnerabilities. The agency indicated that the pace of vulnerability discovery has increased due to artificial intelligence.
Data cited by CISA from the Verizon 2025 Data Breach Investigations Report showed that organizations fully remediated approximately 38% of vulnerabilities listed in the Known Exploited Vulnerability (KEV) Catalog during 2024.
CISA also referenced the 2026 Data Breach Investigations Report, which found a 26% decline in the number of fully remediated vulnerabilities in 2025. The report stated that resolution takes 43 days.
According to CISA, the increased pace of vulnerability discovery has created challenges for defenders, resulting in critical vulnerabilities remaining unpatched for longer periods. CISA stated that its approach is to focus remediation efforts based on risk.
Risk-Based Vulnerability Remediation Framework
CISA introduced a new risk-based vulnerability remediation system intended to help vendors evaluate vulnerabilities and prioritize patching efforts. The framework directs attention toward vulnerabilities that present the greatest risk of exploitation and toward assets that face the highest levels of risk.
The framework identifies four characteristics associated with the greatest risk.
- Public exposure online.
- The ability for exploitation to be fully automated.
- The ability for an attacker to gain full control of a system.
- Evidence of real-world exploitation through inclusion in the Known Exploited Vulnerability Catalog.
CISA stated that vulnerabilities meeting all four criteria must be mitigated within no more than three days. The agency also established a three-day remediation requirement for vulnerabilities that are publicly exposed, included in the Known Exploited Vulnerability Catalog, capable of automated exploitation, and capable of providing an attacker with partial control of a system.
When a vulnerability provides an attacker with full control of a system, CISA requires a forensic triage after remediation to determine whether exploitation has already occurred.
Remediation Timeframes
The directive establishes additional remediation timelines for vulnerabilities assessed as lower risk.
CISA stated that lower risk vulnerabilities may be subject to remediation deadlines of two weeks or two months. The agency also stated that vulnerabilities assigned the lowest severity category do not require remediation until the next system upgrade.
An analysis conducted at one large civilian agency found that only 1% of vulnerabilities were categorized within the three-day remediation group. The same analysis found that 60% of vulnerabilities could be deferred until the next system upgrade.
CISA stated that use of the framework allows organizations to prioritize remediation of vulnerabilities assessed as most critical.
Network Edge Prioritization
The framework places priority on mitigating vulnerabilities located at the network edge. CISA stated that vulnerabilities located within the network core may be considered high risk and may be subject to active exploitation. The agency also stated that it generally does not find threat actors breaching core networks via product vulnerabilities.
According to CISA, threat actors use LOTL or living off the land techniques. The agency stated that these techniques are better addressed through measures including HIPAA encryption, network segmentation, system hardening, and implementation of phishing-resistant multi-factor authentication.
Binding Operational Directive 26-04 establishes new remediation deadlines and a risk-based methodology that prioritizes vulnerabilities based on exposure, exploitability, system control impact, and evidence of real-world exploitation.
Image credit: InfiniteFlow #1991030254, AdobeStock
