CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk

The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday announced a new directive that requires federal agencies to prioritize patching the highest-risk security flaws.

CISA established the Known Exploited Vulnerabilities (KEV) catalog in 2021, accompanied by BOD 22-01, which directed agencies to aggressively patch bugs in the catalog within specific timeframes. It also required them to report the status of KEV vulnerabilities, without penalizing those that did not meet the deadlines.

According to CISA, the new ‘Binding Operational Directive 26-04: Prioritizing Security Updates Based on Risk’ builds on BOD 22-01 and the KEV catalog to advance priorities in securing federal networks and outline critical steps to more aggressively fortify them.

“The requirements in this Directive align with Office of Management and Budget (OMB) Circular A-130: Managing Information as a Strategic Resource, which establishes policy for the management of federal information resources,” CISA notes.

BOD 26-04 requires federal agencies to review and update their vulnerability management policies, provide CISA with copies of these policies upon request, and prioritize the remediation of security weaknesses included in the KEV catalog.