🇺🇸 CISA ·

CISA issues BOD 26-04, replacing KEV remediation rules with risk-based timelines for federal civilian agencies

Federal civilian agency security teams must migrate from the prior KEV remediation regime to BOD 26-04's risk-based timelines, with policy updates due immediately and remediation timelines enforceable within 180 days

Cybersecurity
Save
Change
On 10 June 2026 CISA issued Binding Operational Directive 26-04, replacing BOD 19-02 and BOD 22-01 with a single risk-based vulnerability-remediation model for Federal Civilian Executive Branch agencies, phased in from immediate policy updates to enforceable remediation timelines within 180 days.
Why it matters
BOD 26-04 sets remediation deadlines by combining four CISA-published variables per CVE — asset exposure, KEV status, exploit automation, and technical impact — mapping each vulnerability to a Table 1 timeline that runs from three calendar days plus forensic triage for the highest-risk class to 'fix on system upgrade' for the lowest. The remediation clock starts at KEV-catalog addition or agency enumeration in the CDM dashboard, whichever is first. The Directive revokes BOD 19-02 and BOD 22-01, so agencies operating to the prior KEV-remediation timelines must re-baseline. Compliance phases in: policy updates immediately, process updates within 60 days, and the remediation timelines plus continuous external-asset tagging within 180 days.
Implications
  • Federal civilian agency security leadership (CIO and CISO offices) must update vulnerability-management policies immediately to the BOD 26-04 model — assigning roles, setting KEV-monitoring and CISA-reporting procedures, and establishing internal validation — because Phase I obligations apply from issuance and CISA may request the updated policies at any time.
  • Federal civilian agency IT and network teams must re-baseline remediation from the revoked BOD 22-01 timelines to the Table 1 risk tiers (three days plus forensic triage at the highest risk, down to fix-on-upgrade) and continuously tag all externally reachable assets, with these remediation obligations enforceable within 180 days of issuance.
  • Agencies running federal systems in FedRAMP or other third-party/cloud environments must work through the FedRAMP PMO or their cloud service providers to extend BOD 26-04 requirements to that infrastructure, since the agency retains compliance responsibility for externally hosted systems.

See full brief

Use 1 free preview to unlock implications, who’s affected, what to watch, and Clarify for this brief.

2 free previews left this month · Resets 1 Jul

Source
CISA
View on CISA
Clarify with AI

Unlock this brief free to ask your question.

Decision prompts

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Start your trial to clarify this brief

You asked:

Clarify is part of Pro. Start a 14-day trial for full access to every brief, unlimited Clarify questions, and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month after trial. No credit card required. Cancel anytime.

Start 14-day trial Sign in

Unlock this brief to clarify it

Use 1 free preview to unlock the full brief — implications, who’s affected, what to watch, and Clarify for this brief.

2 free previews left this month · Resets 1 Jul