US federal agencies have been instructed to overhaul their vulnerability management practices, shifting away from rigid, deadline-driven patching toward a risk-based approach that prioritizes the most actively exploited threats, under new guidance from the Cybersecurity and Infrastructure Security Agency (CISA).

Binding Operational Directive 26-04, issued on June 10, ties each deadline to risk: three days, plus a forensic check for signs of intrusion, for the most dangerous flaws, with longer windows for less severe combinations and deferral for genuinely low-risk bugs, in some cases until a system's next major upgrade. It consolidates two previous mandates, BOD 19-02 and the KEV-focused BOD 22-01.

CISA cast it as a response to a threat picture in which AI helps attackers find and weaponize bugs faster, shrinking defenders' window once a patch ships, as the volume of disclosed flaws outpaces blanket patching.

The directive also pairs its tightest deadlines with a forensic step. When an agency patches the most serious flaws, it must check whether attackers have already exploited them, since a fix rarely evicts an intruder.

Read more on CISA directives: CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws

Risk Replaces the Severity Score

For years, CVSS severity scores drove prioritization, BOD 26-04 drops that. Revoking the old directive means agencies are no longer required to use CVSS to prioritize, since, as CISA noted, a severity label alone doesn't dictate what to fix first.

The directive instead weighs four factors:

• Asset exposure: whether the system is publicly reachable

• KEV status: whether the flaw is on CISA's Known Exploited Vulnerabilities (KEV) catalog

• Exploit automation: whether an adversary can automate every step needed to exploit it

• Technical impact: whether a successful attack grants partial or total control

Acting CISA director, Nick Andersen, said the directive lets agencies "focus their efforts on the areas of highest risk" and defer the rest. He urged private-sector and infrastructure operators to follow suit.

Doubts About the Execution

Agencies have 180 days, until around December 7, before they must meet the directive's remediation timelines in every case. Practitioners broadly welcomed the aim while warning that the hard part is execution.

Knowing a bug is exploited, which the KEV catalog already flags, is only half the job, said Sunil Gottumukkala, CEO of agentic remediation platform provider Averlon. He said, "The other half is whether it matters in your environment."

Denis Calderone, CTO of AI security firm Suzu Labs, agreed, "CVSS alone has never been a reliable way to decide which vulnerabilities to prioritize." However, he questioned who will ensure agencies run real risk assessments rather than tick a compliance box, particularly given what he called deep cuts to CISA's budget and workforce.

Calderone urged defenders to build their own stack now including KEV status, Exploit Prediction Scoring System (EPSS) probabilities and local context.