The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new directive, known as Binding Operational Directive 26-04. This directive aims to improve security measures for Federal Civilian Executive Branch (FCEB) agencies by addressing high-risk vulnerabilities more quickly.
CISA’s objective is to reduce the risk of cyberattacks against the public sector. Under the new rules, agencies may need to resolve serious security vulnerabilities within as little as three days. This directive replaces older guidelines, BOD 19-02 and BOD 22-01, which were established in 2019 and 2021.
To decide the urgency of a patch, CISA considers four main factors. These include whether the asset is publicly accessible online, if the vulnerability appears in CISA’s Known Exploited Vulnerabilities (KEV) catalog, whether the system can be attacked on a large scale automatically, and if attackers might gain full control of a system.
If a vulnerability isn’t immediately urgent, agencies will typically have two weeks to address it. The directive specifically targets information systems used by U.S. government departments but does not cover military systems or private contractors.
Agencies must revise their vulnerability management policies to align with this new directive. They have 60 days to implement necessary changes and up to 180 days to ensure ongoing monitoring and reporting of their systems.
