The Cybersecurity and Infrastructure Security Agency has issued new federal guidance that sharply reduces the time agencies have to fix the most serious software vulnerabilities. Under the directive, certain high-risk flaws must be remediated within three days, a faster deadline than the agency used previously.
The rule is aimed at federal civilian executive branch agencies and is designed to help them focus patching efforts on the vulnerabilities most likely to be used in attacks. CISA said the change reflects a threat environment in which attackers are moving quickly, sometimes aided by automation and artificial intelligence, after a weakness becomes public.
The directive, Binding Operational Directive 26-04, replaces earlier federal requirements on vulnerability remediation. It also revokes two older directives that covered internet-facing systems and known exploited vulnerabilities. CISA said the new framework consolidates and clarifies federal patching expectations.
Rather than treating every vulnerability the same, the directive tells agencies to prioritize fixes based on several factors. Those include whether a system is publicly exposed, whether the flaw appears in CISA’s Known Exploited Vulnerabilities catalog, whether exploitation can be automated, and whether an attacker would gain partial or total control of the affected asset.
CISA has used the KEV catalog since 2021 to track vulnerabilities known to be exploited in the wild. The agency said that catalog remains central to the new policy, which continues to require aggressive action on bugs that pose a significant risk to federal networks.
The directive says agencies must update vulnerability management policies, assign responsibility for remediation, and set internal procedures for tracking and enforcement. Agencies also have to keep monitoring KEV updates and continue cyber hygiene scanning.
For agencies that have not fully automated reporting, the directive requires biweekly manual status reports through the Continuous Diagnostics and Mitigation Dashboard. Agencies must also keep records of internet-facing assets and report changes in those assets on a recurring basis.
Some provisions take effect immediately. Agencies are required to review and, if needed, revise their vulnerability management policies and procedures right away. Within 60 days, they must update their remediation processes so they can respond to vulnerabilities listed in both the CVE database and the KEV catalog.
Within 180 days, agencies must be able to remediate vulnerabilities according to the timelines set by the directive. The document says agencies should fix issues as quickly as possible and no later than those deadlines.
CISA also wants agencies to more closely track externally reachable assets. The directive requires them to identify and tag systems that can be reached from outside the agency network and use a routable IP address. Those records must include details such as the organization or sub-organization, environment, exposure, and asset type.
Another requirement directs agencies to make sure every asset reported in the CDM Federal Dashboard includes all associated IP addresses, including private IPv4 and IPv6 addresses.
CISA said the directive supports broader federal cybersecurity goals and aligns with OMB Circular A-130, which covers federal information resource management. The agency also pointed to ties with federal efforts on artificial intelligence security and the wider U.S. cybersecurity strategy.
The directive generally applies to federal civilian systems, not national security systems. CISA noted that contractors are not automatically covered unless their contracts require compliance, though agencies are expected to review contracts to determine whether changes are needed.
For systems hosted in third-party environments, including FedRAMP-certified cloud services, agencies must maintain inventories and work with providers to ensure compliance. CISA said the new requirements are meant to strengthen mission readiness across the federal government by directing resources toward the vulnerabilities most likely to lead to real-world compromise.