The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a directive requiring federal agencies to prioritize the patching of high-risk security vulnerabilities. This new directive, called Binding Operational Directive 26-04, builds upon previous mandates by emphasizing the importance of addressing vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog. Since its establishment in 2021, the KEV catalog has guided agencies in patching known security flaws within set timeframes. The latest directive now requires agencies to update their vulnerability management policies and prioritize remediation efforts based on risk assessments.

Federal agencies must keep a close watch on updates to the KEV catalog, ensuring they address new vulnerabilities in accordance with outlined timelines. Agencies are expected to automate the reporting of their vulnerability status and perform regular inventory checks of externally accessible assets. CISA will support these efforts by frequently updating the KEV catalog and providing necessary data and guidance. Within 60 days, CISA plans to publish data requirements that will help agencies streamline asset tagging through standardized data schemas.

The urgency of patch remediation is determined by the potential impact of each vulnerability. Issues with significant technical impact, especially those that can lead to total control over an asset, must be addressed within three days. Less critical vulnerabilities, which are not on the KEV list or cannot be automated, may be resolved within 14 to 60 days, depending on their risk level. This directive aligns with the Office of Management and Budget's policies and aims to improve the security posture of federal networks.