CISA ·

CISA issues BOD 26-04, replacing KEV remediation rules with risk-based timelines for federal civilian agencies

Federal civilian agency security teams must migrate from the prior KEV remediation regime to BOD 26-04's risk-based timelines, with policy updates due immediately and remediation timelines enforceable within 180 days

Change
On 10 June 2026 CISA issued Binding Operational Directive 26-04, replacing BOD 19-02 and BOD 22-01 with a single risk-based vulnerability-remediation model for Federal Civilian Executive Branch agencies, phased in from immediate policy updates to enforceable remediation timelines within 180 days.
Why it matters
BOD 26-04 sets remediation deadlines by combining four CISA-published variables per CVE — asset exposure, KEV status, exploit automation, and technical impact — mapping each vulnerability to a Table 1 timeline that runs from three calendar days plus forensic triage for the highest-risk class to 'fix on system upgrade' for the lowest. The remediation clock starts at KEV-catalog addition or agency enumeration in the CDM dashboard, whichever is first. The Directive revokes BOD 19-02 and BOD 22-01, so agencies operating to the prior KEV-remediation timelines must re-baseline. Compliance phases in: policy updates immediately, process updates within 60 days, and the remediation timelines plus continuous external-asset tagging within 180 days.
Implications
  • Federal civilian agency security leadership (CIO and CISO offices) must update vulnerability-management policies immediately to the BOD 26-04 model — assigning roles, setting KEV-monitoring and CISA-reporting procedures, and establishing internal validation — because Phase I obligations apply from issuance and CISA may request the updated policies at any time.
  • Federal civilian agency IT and network teams must re-baseline remediation from the revoked BOD 22-01 timelines to the Table 1 risk tiers (three days plus forensic triage at the highest risk, down to fix-on-upgrade) and continuously tag all externally reachable assets, with these remediation obligations enforceable within 180 days of issuance.
  • Agencies running federal systems in FedRAMP or other third-party/cloud environments must work through the FedRAMP PMO or their cloud service providers to extend BOD 26-04 requirements to that infrastructure, since the agency retains compliance responsibility for externally hosted systems.
Who is affected
  • Federal civilian agency security leadership (CIO and CISO offices)
  • Federal civilian agency IT and network / vulnerability-management teams
  • Federal agency teams managing FedRAMP and third-party-hosted federal systems
What to watch
  • Within 60 days of 10 June 2026: agencies must update vulnerability-management processes and procedures (Phase II); CISA publishes the machine-readable asset-tagging data schema.
  • Within 180 days of 10 June 2026: Table 1 remediation timelines and continuous external-asset tagging become enforceable (Phase III).
View on CISA
Clarify this change

Grounded in this brief and its source — your questions stay private.

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Create a free account to keep clarifying

You asked:

You've used your free guest questions for now. A free account gives you more every month and saves your history — or start a Pro trial for unlimited Clarify and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

Free account: no card, ever. Pro trial: $29/month after 14 days, no card to start, cancel anytime.