# Federal Agencies Face New 3-Day Deadline for Critical Vulnerability Patches *Published June 12, 2026* *Source: [https://cybersecuritynews.com/cisa-patch-vulnerabilities-3-days/](https://cybersecuritynews.com/cisa-patch-vulnerabilities-3-days/)* ## Executive Summary CISA has issued a directive mandating federal agencies to patch critical vulnerabilities within three days, marking an unprecedented change in federal vulnerability management. This move aims to mitigate risks from known exploited vulnerabilities by prioritizing high-risk issues. ## Article The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has rolled out Binding Operational Directive (BOD) 26-04, requiring Federal Civilian Executive Branch (FCEB) agencies to address the most critical vulnerabilities within three calendar days. Released on June 10, 2026, this directive sets the most stringent patch timeline ever for federal agencies, fundamentally changing how they manage vulnerabilities. Binding Operational Directives are mandatory regulations under 44 U.S.C. § 3552(b)(1), allowing the Department of Homeland Security to set cybersecurity policies for federal civilian agencies. BOD 26-04 replaces earlier directives, BOD 19-02 and BOD 22-01, merging vulnerability remediation guidelines into a single risk-based framework. This directive excludes national security systems and those operated by the Intelligence Community. The directive shifts focus from routine patching to a risk-based approach, assessing vulnerabilities based on four criteria. CISA provides data on known exploited vulnerabilities (KEV), exploit automation, and technical impact, while agencies assess public exposure using CISA’s Internet Exposure Reduction Guidance. The urgency of addressing vulnerabilities depends on how many high-risk criteria they meet. Critical vulnerabilities that are publicly exposed, listed in the KEV catalog, automatable by adversaries, and allow total system control must be patched within three days, along with mandatory forensic checks for compromise. Lesser vulnerabilities have longer remediation timelines of 14 or 60 days, while non-urgent ones are deferred to scheduled updates. The directive’s rollout includes three phases. Immediately, agencies must update policies, monitor the KEV catalog, and automate reporting through the Continuous Diagnostics and Mitigation (CDM) Dashboard. Within 60 days, agencies should align processes with the CVE database and KEV catalog. Full compliance with remediation timelines and asset metadata tagging must occur within 180 days. CISA highlights the rising use of AI by threat actors as a significant reason for this directive, noting that AI could shorten the gap between patch release and exploitation. Nation-state actors often exploit known vulnerabilities, compromising infrastructure and stealing data. By focusing on high-risk vulnerabilities, BOD 26-04 aims to reduce critical federal attack surfaces while allowing flexibility for lower-risk issues. CISA will annually reassess remediation timelines and continue to provide guidance through emergency directives and direct engagement via CyberDirectives@cisa.dhs.gov.