CISA Tightens Patch Timelines for Federal Agencies, Pushing Critical Flaws to Three‑Day Fixes
The Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 26-04, requiring U.S. Federal Civilian Executive Branch agencies to remediate high‑risk vulnerabilities with accelerated timelines—down to three days for publicly exposed, known‑exploited flaws and up to two weeks for less urgent cases. The directive supersedes older BODs and mandates updates to vulnerability management policies, asset inventories, and automated KEV/CVE reporting, with full adherence within 180 days and policy changes within 60 days. It covers on‑premises, third‑party hosted, and cloud environments while excluding certain military, intelligence, and contractor systems, signaling a broader industry patch‑priority shift.