CISA Rewrites Federal Patching Requirements for AI Threat Era

The new directive gives federal agencies three days to fix the most dangerous flaws, while less severe issues can be deferred.

June 10, 2026

The US Cybersecurity and Infrastructure Security Agency (CISA) has revamped its federal patching mandate with a risk-matrix approach that requires federal agencies to remediate the most dangerous vulnerabilities within three days while formally allowing them to defer lower-risk issues.

The agency's new Binding Operational Directive (BOD) 26-04, released this week, supersedes two prior directives governing federal vulnerability remediation and reflects growing concerns about AI-driven threats compounding the patching and remediation challenge for federal agencies.

With BOD 26-04, CISA has established a tiered remediation model for agencies based on four factors: whether the vulnerability appears on CISA's Known Exploited Vulnerabilities (KEV) catalog, whether the vulnerable asset is publicly exposed, whether an adversary can automate all steps required to exploit it, and whether successful exploitation results in partial or total control of the affected asset.