CISA has issued Binding Operational Directive 26-04, requiring Federal Civilian Executive Branch agencies to remediate the highest-risk vulnerabilities in as little as three days, with a two-week window for less urgent cases where automated exploitation is not possible or yields only partial control. Patching priority is set by four considerations, and the directive supersedes the 2019 and 2021 directives it replaces. It covers FCEB agencies and the on-premise, third-party-hosted, and FedRAMP and non-FedRAMP cloud systems they operate, not military, intelligence, or contractor systems, and gives agencies 60 days to update their vulnerability-management processes and automate KEV-status reporting.
Why it matters to the security leader: a three-day SLA is operationally brutal. It assumes asset inventory, KEV automation, and change control are already mature, because there is no time to assemble them after a flaw lands. The directive effectively codifies that detection and inventory must be continuous, not quarterly, and that exploited vulnerabilities are treated as active incidents rather than backlog.
The signal underneath: CISA directives have repeatedly become the de-facto private-sector benchmark, so the three-day clock will propagate into enterprise SLAs, vendor contracts, and cyber-insurance expectations whether or not a company is federal. The harder implication is architectural. Organizations that cannot patch in three days will be pushed toward compensating controls, virtual patching, segmentation, and exposure management, as the primary line of defense, with patching as the follow-up. The metric to brief your board on is shifting from mean time to patch toward mean time to contain, because the window is now too short to rely on patching alone.
Source: BleepingComputer.
Related on this site: Critical Palo Alto GlobalProtect VPN Authentication Bypass Exploited in Active Attacks.
