The Cybersecurity and Infrastructure Security Agency issued a binding directive Wednesday ordering federal civilian agencies to fix the most critical security vulnerabilities within three days, a dramatic compression of the typical weeks-long patching cycle driven by the accelerating pace of AI-powered cyberattacks.
Binding Operational Directive 26-04 introduces a risk-based framework that categorizes vulnerabilities by four criteria. A vulnerability that meets all four must be remediated within 72 hours, and agencies must conduct a forensic triage to determine whether their systems were already compromised. At the other end of the spectrum, lower-risk vulnerabilities can be deferred to the next scheduled system upgrade.
The Four Criteria
Under BOD 26-04, agencies evaluate each vulnerability against four questions:
1. Asset exposure: Is the vulnerable system publicly accessible on the internet?
2. KEV status: Is the vulnerability on CISA’s Known Exploited Vulnerabilities catalog?
3. Exploit automation: Can an adversary fully automate the exploitation process?
4. Technical impact: Does successful exploitation grant partial or total control of the system?
A vulnerability scoring positive on all four is a three-day fix. Those meeting fewer criteria receive longer remediation windows.
CISA acting director Nick Andersen framed the directive as a fundamental rethinking of vulnerability management. “This Directive provides clear definitions, timelines and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation,” Andersen said in a statement. “CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change.”
Why the Timeline Is Shrinking
The directive is motivated in part by how artificial intelligence is compressing the window between vulnerability disclosure and weaponization. “Artificial intelligence is assisting both researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered,” wrote Chris Butera, acting executive assistant director for cybersecurity, and Jonathan Spring, senior technical adviser, in a CISA blog post.
The numbers are stark. According to Verizon’s 2026 Data Breach Investigations Report, only 26 percent of vulnerabilities on CISA’s Known Exploited Vulnerabilities catalog were fully remediated by organizations in 2025, down from 38 percent the previous year. The median time for full resolution rose to 43 days. CISA officials wrote that “defenders are already struggling to keep up.”
Agencies now have a phased timeline to comply. They must immediately update their vulnerability management policies and establish processes for ongoing remediation of KEV-listed vulnerabilities. Within 60 days, they need to update processes for remediating common vulnerabilities. Within 180 days, they must meet the directive’s full remediation timelines.
Is It Feasible?
Butera told reporters that CISA tested the three-day window with some agencies before issuing the directive. At one large agency CISA analyzed, only 1 percent of vulnerabilities fell into the most urgent three-day category, while 60 percent could be deferred to the next system upgrade.
“We really believe we should be able to free up some time to patch the most urgent vulnerabilities faster, while allowing for more regular patch cycles for some of the lower risk vulnerabilities,” Butera said.
The directive reflects priorities laid out in an executive order on AI that President Donald Trump signed last week. BODs are mandatory for federal civilian agencies but are not legally binding on the private sector, though CISA encourages companies to adopt the same framework. Security researchers broadly support the approach. Patrick Garrity of VulnCheck noted that similar guidance has emerged from India and the United Kingdom, calling it “the right direction.”
Tod Beardsley, vice president of security research at runZero and a former KEV section chief at CISA, said on LinkedIn that the directive “brings vulnerability management into the era of AI-driven threats by focusing limited resources on the vulnerabilities that actually matter.”
The directive arrives as CISA continues adding vulnerabilities to its KEV catalog at an accelerating rate. Earlier this week, the agency added two new entries including a command injection flaw in BerriAI’s LiteLLM and a critical vulnerability in Check Point Security Gateway, both under active exploitation.