CISA tells govt agencies to patch critical exploited flaws in 3 days

Key Points:

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04, mandating Federal Civilian Executive Branch (FCEB) agencies to prioritize and accelerate remediation of high-risk cybersecurity vulnerabilities, with some requiring fixes within three days.
• BOD 26-04 replaces previous directives from 2019 and 2021, focusing on vulnerabilities that are publicly exposed, listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploitable via automated large-scale attacks, or allow attackers significant system control.
• The directive applies to all federal civilian systems, including on-premise, third-party hosted, and cloud environments, but excludes military, intelligence, and contractor systems.
• Agencies must update vulnerability management policies, asset inventories, and automate KEV reporting within 60 days, and fully comply with new remediation timelines and continuous asset monitoring within 180 days.
• This directive aims to strengthen federal cybersecurity defenses and is expected to influence broader industry patching priorities.