Security teams’ patching practices have come under intense pressure over the past year, as active exploitation is up, time-to-exploit windows are accelerating, and vulnerabilities have become attackers’ top initial access vector of choice.
Last year, organizations fully remediated only 26% of the vulnerabilities that attackers were actively exploiting in the wild — down from 38% the year before, according to Verizon’s 2026 Data Breach Investigations Report. The median time to close those known dangerous gaps stretched to 43 days, while attackers have trimmed their side of the equation to days, sometimes hours.
That’s the backdrop against which the US Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 26-04. The directive reflects growing recognition that patching based primarily on severity scores is no longer sufficient in an AI-driven environment where defenders face more vulnerabilities than they can realistically remediate at once.
During a media briefing announcing the directive, Chris Butera, acting executive assistant director for cybersecurity at CISA, described the initiative as the culmination of more than a decade of lessons learned from federal vulnerability management programs, adversary activity, and the agency’s growing understanding of AI’s impact on cyber operations.
“Prioritizing IT and security operations attention on the most at-risk assets is particularly important now given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in these assets,” Butera said. “Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.”
In a companion blog post, Butera and Jonathan Spring, CISA’s senior technical advisor, argue that defenders are struggling to keep pace with a rapidly growing volume of vulnerabilities. AI is assisting researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered and forcing organizations to rethink how they prioritize remediation efforts.
Butera and Spring argue that defenders need greater clarity and speed when deciding what to patch. Their prescription: patch smarter, not harder.
Beyond CVSS: Why severity scores are no longer enough
The directive builds on CISA’s Known Exploited Vulnerabilities program, which already identifies vulnerabilities actively being abused by attackers. But BOD 26-04 goes further by introducing a decision framework that considers four key factors: whether the vulnerable system is publicly exposed to the internet, whether the vulnerability is listed in the KEV catalog, whether an attacker can automate exploitation, and how much control an attacker would gain after exploitation.
During the briefing, Butera said those four characteristics — public exposure, known exploitation, exploit automation, and post-exploitation impact — represent the conditions most closely associated with meaningful risk to federal systems. Vulnerabilities exhibiting three or more of those attributes must be patched within three days, while lower-risk vulnerabilities can be addressed on longer timelines or, in some cases, deferred until the next major system upgrade.
The change reflects a broader shift in how security practitioners think about vulnerability management. For years, organizations have relied heavily on severity scores such as CVSS to determine patching priorities. But those scores often fail to predict whether attackers will actually exploit a flaw.
“The directive used to be based on just severity score, which we as an industry have come to find is not a good predictor of exploitation,” Sasha Romanosky, a senior cybersecurity policy researcher at RAND, tells CSO. “This BoD looks to be updated to account for both impact and exploitation, which I think is the right approach.”
Jerry Gamblin, FIRST EPSS SIG member and founder of RogoLabs, is even more enthusiastic about the BoD. “BOD 26-04 is a massive step in the right direction and validates what data-driven teams already know: Patching every CVSS High or Critical is mathematically impossible,” he tells CSO. “By formalizing the use of the KEV catalog alongside advanced predictive data like EPSS, CISA is helping drive the industry toward practical, risk-based operational maturity.”
The operational burden of continuous risk assessment
Perhaps the most notable operational change is that remediation timelines become dynamic. A vulnerability’s required response time can change as circumstances change, with internet-facing and actively exploited vulnerabilities receiving the highest priority.
During the briefing, Butera said that this flexibility is one of the directive’s greatest strengths. In an analysis of one federal civilian agency, CISA found that only about 1% of vulnerability instances required remediation within three days, while more than 60% could be deferred until the next system update.
That finding highlights the agency’s central argument: Vulnerability management has become a prioritization problem as much as a patching problem.
“We really believe we should be able to free up some time to patch the most urgent vulnerabilities faster while allowing for more regular patch cycles for some of the lower-risk vulnerabilities,” Butera said.
Rather than forcing agencies to expend resources remediating thousands of vulnerabilities of varying importance, the framework concentrates attention on the small subset of flaws most likely to result in compromise.
What the directive gets right — and what it leaves out
Romanosky notes, however, that the directive’s treatment of impact is relatively narrow, focusing largely on whether exploitation grants an attacker partial or complete control of a system.
“What about integrity impacts that change data, or completely deny access to a system, such as a DDoS attack on DNS or wiping out a database?” he says. “Those impacts would also seem important.”
Still, he acknowledges that if policymakers must simplify risk decisions across the federal government, prioritizing vulnerabilities that provide adversaries control over systems is a reasonable place to start.
The directive also places significant emphasis on internet-facing systems, which could raise questions about risks deeper inside enterprise networks. Butera and Spring address that point directly in their blog post, arguing that CISA does not typically observe threat actors compromising core networks through software vulnerabilities alone. Instead, attackers frequently rely on valid credentials, misconfigurations, and other “living off the land” techniques.
KEV is useful — but is it enough?
Cybersecurity professionals outside government should pay close attention because federal vulnerability management often foreshadows broader industry practice. The directive formalizes ideas that many security leaders have advocated for years: CVSS scores alone are insufficient; asset context matters; internet exposure matters; active exploitation matters most.
Michael Roytman, co-founder and CTO of Empirical Security, views the directive as a milestone in that evolution.
“The federal government finally retired the ‘patch everything on the list’ mandate and replaced it with risk-based prioritization,” Roytman tells CSO. “Eleven years ago, prioritizing by exploitation probability was a heresy we had to defend in conference hallways. Today, it’s a binding federal directive.”
But he also argues that the framework’s reliance on the KEV catalog highlights one of its limitations.
“KEV lists are binary and retroactive,” Roytman says. “When AI compresses the gap between patch and exploit to hours, waiting for the KEV entry means you find out you were wrong from the incident report.”
Romanosky raises a similar concern, describing KEV as a valuable but inherently backward-looking source of information. “KEV is a great program for DHS and the public, but it is, at best, evidence of past exploitation,” he says.
Both experts suggested that predictive signals deserve a larger role in future vulnerability prioritization efforts. Romanosky points specifically to the Exploit Prediction Scoring System (EPSS), which estimates the likelihood that a vulnerability will be exploited in the future.
“The concern, of course, is that vulnerabilities age, and so what may have been exploited last year or last month may no longer be used in active exploitation today,” Romanosky says. “So EPSS would provide a better signal.”
Roytman takes the argument a step further. Drawing on research conducted alongside Verizon’s DBIR team, he said that recency matters enormously when assessing exploitation risk.
According to Roytman, 82% of KEV entries involve vulnerabilities whose exploitation was first reported more than a year ago. “Twelve months of inactivity means the chance of exploitation falls from 99% on the first day down to 5%,” he says.
He also argues that KEV captures only a fraction of observed exploitation activity. “The KEV list covers only about 8% of observed exploitation,” Roytman said. “We’re tracking 17,800 CVEs compared to CISA’s 1,600.”
How AI could force another rethink of vulnerability management
Butera and Spring argue that artificial intelligence is already accelerating vulnerability discovery and increasing pressure on defenders. BOD 26-04 is intended to help agencies automate and scale vulnerability management while focusing scarce resources on the risks that matter most.
But the directive’s four-factor framework was built on the vulnerability landscape as it exists today — and AI may render that landscape unrecognizable relatively quickly.
Romanosky points to a structural gap in the current model: because the framework relies heavily on CVE identifiers, defenders may encounter newly discovered flaws that require urgent attention before they’ve been formally cataloged. “As more vulnerabilities are discovered quicker with AI tools, we might expect a whole set of new vulnerabilities that haven’t yet been assigned CVE IDs that need to be patched super quick,” he says.
That’s not a hypothetical concern. The CVE assignment process — run by MITRE and a network of numbering authorities — was built for a slower discovery cadence. It can take days or weeks for a vulnerability to receive an identifier, go through NVD analysis, and appear in tools that practitioners actually use. If AI compresses the window between discovery and exploitation to hours, that pipeline becomes a liability.
Roytman sees the directive’s four-factor model as a starting point rather than an endpoint — one calibrated to average federal risk rather than the specific conditions of any individual organization. “The risk in CISA’s table is the average risk across the federal enterprise,” he said. “The risk in an enterprise environment is a different number that depends on controls, telemetry, prevalence, and ultimately a local model specific to that enterprise.”
Romanosky agrees that another revision may be inevitable. “I might expect another revised BOD — or some other directive — to account for what may be a new continuous stream of vulnerabilities,” he says.
In that sense, BOD 26-04 may be less a destination than a waypoint: the federal government’s best current answer to a problem that AI is guaranteed to make harder.
