{"id":229421,"date":"2026-06-10T11:43:00","date_gmt":"2026-06-10T15:43:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/cisa-gives-agencies-new-vulnerability-remediation-deadlines-that-take-risk-levels-into-account\/"},"modified":"2026-06-10T11:46:01","modified_gmt":"2026-06-10T15:46:01","slug":"cisa-gives-agencies-new-vulnerability-remediation-deadlines-that-take-risk-levels-into-account","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/cisa-gives-agencies-new-vulnerability-remediation-deadlines-that-take-risk-levels-into-account\/","title":{"rendered":"CISA gives agencies new vulnerability remediation deadlines that take risk levels into account"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-vulnerability-remediation-prioritization-directive\/822504\/\">CISA gives agencies new vulnerability remediation deadlines that take risk levels into account<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-vulnerability-remediation-prioritization-directive\/822504\/\">https:\/\/www.cybersecuritydive.com\/news\/cisa-vulnerability-remediation-prioritization-directive\/822504\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-10 11:43:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>The Cybersecurity and Infrastructure Security Agency on Wednesday directed federal agencies to adopt a new risk-based approach to fixing vulnerabilities in their systems.<br \/>\nCISA\u2019s binding operational directive (BOD) establishes new deadlines for vulnerability remediation based on four factors: whether affected systems are exposed to the internet, whether threat actors are exploiting the flaw, whether the exploit is automatable and whether exploitation gives attackers at least partial control of the affected system.<\/p>\n<p>The new system reflects an increasingly complex and dangerous threat environment in which both internet-exposed devices and serious vulnerabilities are proliferating quickly \u2014\u00a0and in which AI is making it easier for hackers to automate attacks that use those vulnerabilities to breach devices.<br \/>\nUnder the new prioritization scheme, which takes effect Dec. 7, agencies will have three days to address actively exploited, automatable vulnerabilities that grant hackers at least partial control over internet-facing systems. In cases where the vulnerability would grant hackers total control, agencies also have to perform a forensic triage of the affected assets to determine if they have been compromised. (CISA\u2019s implementation guidance for the BOD describes how agencies should perform triages.)<br \/>\nThe BOD establishes looser deadlines for other situations. Agencies will have two weeks to address actively exploited vulnerabilities that would grant partial control over internet-facing systems but are not automatable. (In cases where exploitation is not automatable but would grant full control, agencies would still need to remediate within three days and perform a forensic triage.) There are also longer deadlines for vulnerabilities that hackers are not yet exploiting, as well as for vulnerabilities affecting systems that are not exposed to the internet.<\/p>\n<p>A flowchart of the deadlines in the new directive.<br \/>\nRetrieved from Cybersecurity and Infrastructure Security Agency.<br \/>\n\u00a0<\/p>\n<p>\u201cCISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities,\u201d Nick Andersen, the agency\u2019s acting director, said in a statement.<\/p>\n<p>Implementation timeline<br \/>\nBeginning on Wednesday, agencies must update their vulnerability handling procedures to reflect CISA\u2019s directive, including assigning responsibilities to the appropriate employees and establishing compliance and tracking processes. They must also monitor CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog for new entries, automatically report their vulnerability remediation status through CISA\u2019s Continuous Diagnostics and Mitigation dashboard and ensure their systems allow CISA to conduct its periodic Cyber Hygiene scans.<br \/>\nAgencies must have fully updated their vulnerability management processes to account for the BOD\u2019s timelines by Aug. 9, 60 days after Wednesday\u2019s issuance of the directive. They must begin implementing those remediation processes by Dec. 7, 180 days after the BOD\u2019s release. As part of that work, they must tag all internet-accessible devices with information that they and CISA can use to monitor the devices.<br \/>\nCISA said it would release guidance on tagging within 60 days. It also committed to regularly reporting to agencies on the results of its vulnerability scans. And once a year, it said, it will conduct a \u201cdata-driven reassessment\u201d of the BOD\u2019s deadlines to determine whether to shorten them. The agency will also update its triage guidance as necessary.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA gives agencies new vulnerability remediation deadlines that take risk levels into account https:\/\/www.cybersecuritydive.com\/news\/cisa-vulnerability-remediation-prioritization-directive\/822504\/ Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":229422,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/KaUPWOP9EUOw32dZjDO7PH2eerJzbsxu8hxNDPk0xD8\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9DSVNBX2hlYWRlci5qcGc=.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,31,27],"class_list":["post-229421","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229421"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229421"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229421\/revisions"}],"predecessor-version":[{"id":229423,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229421\/revisions\/229423"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229422"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}