CISA gives agencies new vulnerability remediation deadlines that take risk levels into account
CISA gives agencies new vulnerability remediation deadlines that take risk levels into account
Publish Date: 2026-06-10 11:43:00
Source Domain: www.cybersecuritydive.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
The Cybersecurity and Infrastructure Security Agency on Wednesday directed federal agencies to adopt a new risk-based approach to fixing vulnerabilities in their systems.
CISA’s binding operational directive (BOD) establishes new deadlines for vulnerability remediation based on four factors: whether affected systems are exposed to the internet, whether threat actors are exploiting the flaw, whether the exploit is automatable and whether exploitation gives attackers at least partial control of the affected system.
The new system reflects an increasingly complex and dangerous threat environment in which both internet-exposed devices and serious vulnerabilities are proliferating quickly — and in which AI is making it easier for hackers to automate attacks that use those vulnerabilities to breach devices.
Under the new prioritization scheme, which takes effect Dec. 7, agencies will have three days to address actively exploited, automatable vulnerabilities that grant hackers at least partial control over internet-facing systems. In cases where the vulnerability would grant hackers total control, agencies also have to perform a forensic triage of the affected assets to determine if they have been compromised. (CISA’s implementation guidance for the BOD describes how agencies should perform triages.)
The BOD establishes looser deadlines for other situations. Agencies will have two weeks to address actively exploited vulnerabilities that would grant partial control over internet-facing systems but are not automatable. (In cases where exploitation is not automatable but would grant full control, agencies would still need to remediate within three days and perform a forensic triage.) There are also longer deadlines for vulnerabilities that hackers are not yet exploiting, as well as for vulnerabilities affecting systems that are not exposed to the internet.
A flowchart of the deadlines in the new directive.
Retrieved from Cybersecurity and Infrastructure Security Agency.
“CISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities,” Nick Andersen, the agency’s acting director, said in a statement.
Implementation timeline
Beginning on Wednesday, agencies must update their vulnerability handling procedures to reflect CISA’s directive, including assigning responsibilities to the appropriate employees and establishing compliance and tracking processes. They must also monitor CISA’s Known Exploited Vulnerabilities (KEV) catalog for new entries, automatically report their vulnerability remediation status through CISA’s Continuous Diagnostics and Mitigation dashboard and ensure their systems allow CISA to conduct its periodic Cyber Hygiene scans.
Agencies must have fully updated their vulnerability management processes to account for the BOD’s timelines by Aug. 9, 60 days after Wednesday’s issuance of the directive. They must begin implementing those remediation processes by Dec. 7, 180 days after the BOD’s release. As part of that work, they must tag all internet-accessible devices with information that they and CISA can use to monitor the devices.
CISA said it would release guidance on tagging within 60 days. It also committed to regularly reporting to agencies on the results of its vulnerability scans. And once a year, it said, it will conduct a “data-driven reassessment” of the BOD’s deadlines to determine whether to shorten them. The agency will also update its triage guidance as necessary.
