There’s never been enough time to patch every vulnerability. For most organizations, one number has governed how security teams prioritized what to fix first: the CVSS score. A vulnerability rated 9.8 jumped to the top of the queue. A 6.2 waited. It was never a perfect system, but it was simple, universal, and easy to defend in an audit.
CISA just quietly retired it.
On June 10, 2026, CISA published Binding Operational Directive 26-04, Prioritizing Security Updates Based on Risk. It doesn’t just tweak federal patching timelines. It stops using severity scores like CVSS as the basis for prioritization and replaces them with a risk model built on how a vulnerability actually behaves. The directive applies to federal civilian agencies, but the reasoning behind it should change how every organization thinks about remediation.
What actually changed
BOD 26-04 consolidates and replaces two older directives (19-02 and 22-01) and swaps out static severity scoring in favor of four risk signals that map far more closely to the likelihood that a vulnerability will actually be exploited:
- Asset exposure. Is the vulnerable asset publicly exposed?
- KEV status. Is the vulnerability already on CISA’s Known Exploited Vulnerabilities catalog?
- Exploit automation. Can an adversary automate every step needed to exploit it?
- Technical impact. Does exploitation hand the attacker partial or total control of the asset?
A vulnerability that checks all four boxes now has to be remediated within three calendar days. That’s the most aggressive federal patch timeline ever mandated. And patching alone isn’t enough. For that highest-risk tier, agencies must also perform forensic triage to determine whether the system has already been compromised.
CISA isn’t just saying ‘patch faster.’ It’s saying ‘assume the window between disclosure and exploitation may already have closed.’
This change reflects a new reality. Vulnerabilities are being identified… and patches created… at a rate that exceeds any reasonable patching frequency. And I agree with the logic behind the change. But there is another reality that needs consideration… CISA rightly focuses the three-day clock on assets exposed to the public internet, since that’s where organizations face the most direct, automated pressure. But ‘public exposure’ is a statement about where attackers start, not where they stay. Perimeter compromise is close to inevitable now. And AI is pushing that probability higher by accelerating how fast a newly disclosed flaw becomes a working exploit. Once an adversary is inside, an internal-only asset is subject to exactly the same logic. Is it automatable? Does it grant control? Is it being exploited?
Why now: AI compressed the timeline
The directive is explicit about its motivation. CISA points to AI shortening the time between vulnerability discovery and weaponization. The gap between a CVE going public and a working exploit has collapsed.
A static severity score made sense in a world where exploit development was slow and human-paced. When an attacker can use AI to generate working exploit code at machine speed, prioritizing by an abstract 1-to-10 rating is prioritizing by the wrong variable. What matters is no longer ‘how bad is this in theory’ but ‘how exposed am I, how easily can this be automated, and is someone already doing it.’
CVSS answers the first question. BOD 26-04 is built around the second.
You Can’t Prioritize What You Can’t See
Every one of those four criteria assumes you already know something about your own environment. You can’t prioritize by ‘publicly exposed’ without an accurate, current picture of what you own and what’s reachable. You can’t weigh ‘grants control of the system’ without knowing which systems are critical and what they’re connected to. You can’t triage a possible compromise in three days if you don’t have a baseline for what normal looks like. The directive reads like a patching mandate, but underneath it is a much older question: how well do you actually know yourself?
That knowledge isn’t something you buy. It’s a governance outcome. Most organizations that fail a model like BOD 26-04 don’t fail for lack of tooling. They fail because no one owns the asset inventory, criticality has never been defined, and the environment has never been governed as a living thing. This is the work of GRC, governance, risk, and compliance, and it’s easy to dismiss as paperwork. But GRC is what assigns ownership, sets the definitions of ‘critical’ and ‘exposed,’ and keeps the picture current as the environment changes. Asset management that actually holds up under a three-day clock is a product of that program, not a precondition you can shortcut with a scanner.
In a large enterprise, the governance layer and the tooling that sits on top of it are line items in a mature budget. In small and mid-market organizations, both are often missing, and the instinct is to reach for the tool first… buy a scanner, generate a report, call it a program. But a scanner pointed at an environment no one has governed just produces a longer list with no way to rank it. The foundation has to come first.
That’s the real gap BOD 26-04 exposes. Risk-based prioritization is the right model, but it only works on top of an environment you’ve done the unglamorous work of governing. The organizations least equipped to clear that bar are the ones who never built the program underneath it.
What to do with this
You don’t have to be a federal agency for BOD 26-04 to matter. The directive is essentially CISA publishing its threat model. And that threat model applies to anyone with systems worth attacking and adversaries who’ve discovered AI.
A few questions worth asking this quarter:
- Could we identify every exposed asset today? Not eventually… today. And do we know which internal systems an attacker would reach next?
- Is our prioritization still anchored to CVSS? If so, you’re optimizing for theoretical severity while attackers optimize for opportunity.
- If a critical system is compromised, how long until we know? Three days is now the federal bar for the highest-risk cases. What’s yours?
If those questions are harder to answer than they should be, the gap likely isn’t a missing tool. It’s the governance layer underneath, the part that decides what you own, what matters, and who’s accountable for keeping that picture current. Build that and risk-based prioritization becomes possible. Skip it and no amount of tooling will save you from a longer list you still can’t rank.
That foundation is hard to stand up from scratch with a small team, which is exactly why governance, risk, and compliance is increasingly something organizations source rather than build alone. However you get there, the point holds… the program comes before the patch.
The backlog isn’t going away. But the rule that ‘highest CVSS goes first’ just stopped being good enough, and the agencies most targeted by nation-state actors were the first to say so out loud.
Building a stronger security program starts with understanding your environment. If you’re ready to improve visibility, governance, and risk-based decision making, Velaspan can help.
