CISA Instructs Federal Agencies to Adopt Risk-Based Approach for Vulnerability Remediation
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD 26-04) establishing new deadlines for vulnerability remediation for federal civilian agencies. Defenders have long been struggling to keep on top of patching due to the frequency with which new vulnerabilities are identified, the pace of which has increased dramatically due to artificial intelligence.
According to the Verizon 2025 Data Breach Investigations Report, organizations were only able to fully remediate around 38% of vulnerabilities in CISA’s Known Exploited Vulnerability (KEV) Catalog in 2024. The 2026 DBIR report shows that the percentage of fully remediated vulnerabilities in 2025 fell to 26%, with a median resolution time of 43 days. Artificial intelligence has massively increased the pace of vulnerability discovery, defenders are becoming overwhelmed, and critical vulnerabilities are remaining unpatched for longer periods, increasing the window of opportunity for exploitation. CISA’s solution is to patch smarter, not harder.
CISA has released a new risk-based vulnerability remediation framework to help vendors assess vulnerabilities and prioritize patching effectively, concentrating their efforts on mitigating vulnerabilities in the most at-risk assets and addressing vulnerabilities that carry the greatest risk of exploitation.
CISA has determined that the greatest risk is associated with vulnerabilities with four characteristics:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Public exposure via the internet
- The ability to fully automate exploitation
- If the vulnerability gives an attacker full control of a system, and
- Evidence of real-world exploitation (KEV inclusion)
Based on this framework, any vulnerability that meets all four criteria must be mitigated in the shortest possible timeframe – no more than 3 days. If the vulnerability is publicly exposed, is in the KEV, is automatable, and gives an attacker partial control of a system, the vulnerability must be remediated within 3 days. If the vulnerability gives an attacker full control of a system, following remediation within 3 days, a forensic triage is required to determine if the vulnerability has already been exploited.
New timelines have been provided for mitigating lower risk vulnerabilities of two weeks or two months, with the lowest severity vulnerabilities not requiring remediation until the next system upgrade. An analysis at one large civilian agency found that only 1% of vulnerabilities fell into the 3-day category, while 60% of vulnerabilities could be deferred unitl the next system upgrade. By following the new framework, organizations will be able to ensure that the most critical vulnerabilities are addressed first.
The new framework prioritizes mitigation of vulnerabilities at the network edge. While vulnerabilities in the network core may be high risk and under active exploitation, CISA generally does not observe threat actors compromising core networks through product vulnerabilities; they use living off the land (LOTL) techniques, which CISA says are best addressed through other means, such as system hardening, network segmentation, and implementing phishing-resistant multi-factor authentication.
