Skip to main content
govconCyber
Rule Updates

CISA's New Patching Directive (BOD 26-04) Rewrites the Vulnerability Clock — and Contractors Should Read It Too

CISA's BOD 26-04 replaces BOD 19-02 and 22-01 with a risk-based patching model: fix the highest-risk, actively exploited, edge-facing flaws in three days. It binds agencies, but it reaches their contractors.

Brandon Hancock, J.D., CMMC-RPPublished June 14, 2026Updated June 15, 20266 min read

*CISA just told federal agencies to stop patching everything on the same clock and start patching by risk. The directive technically binds agencies — but if you run, host, or support federal systems, it will land on you.*

On June 11, 2026, the Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 26-04, "Prioritizing Security Updates Based on Risk," consolidating and replacing two of its foundational patching directives. BOD 26-04 folds together the old BOD 19-02 (remediation timelines for internet-accessible systems) and BOD 22-01 (the Known Exploited Vulnerabilities catalog) into a single risk-based framework. CISA's framing is blunt: with AI tools shrinking the window between a patch release and active exploitation, agencies must "patch smarter, not harder." For government contractors, a directive aimed at agencies is also a preview of the security expectations headed into your contracts.

What BOD 26-04 Actually Changes

The directive scores vulnerabilities on four characteristics: whether the asset is publicly exposed, whether an attacker can fully automate exploitation, whether exploitation hands over full control of the system, and whether there is real-world evidence of exploitation (a KEV). Vulnerabilities that show all four traits are the highest priority and must be patched within three days. Lower-risk vulnerabilities can be remediated over longer timelines — in some cases deferred until the next system upgrade.

Two shifts stand out. First, the directive flips patching prioritization toward the network's edge rather than treating every CVE as an emergency. Second, it adds a new expectation that agencies assess whether a vulnerable system was *already compromised* before applying the patch — because, as CISA notes, applying a patch generally does not evict an attacker who is already inside.

The Obligations Behind the Headline

Effective immediately, agencies must review and update their vulnerability management policies to align with the directive, and provide those policies to CISA on request. Within 60 days, they must update procedures to cover vulnerabilities in the CVE database and CISA's KEV catalog. Within 180 days, they must remediate within CISA's timelines and continuously identify and tag every externally reachable, agency-owned asset. Agencies must report KEV remediation status through the Continuous Diagnostics and Mitigation (CDM) dashboard — or, if not yet automated, submit manual status reports every two weeks.

Why a Federal-Agency Directive Reaches Contractors

A Binding Operational Directive is, by its terms, a mandate for federal civilian executive branch agencies — not a clause in your contract. But the line between "agency obligation" and "contractor obligation" is thin in practice. If you operate, host, or maintain a federal information system, agency directives routinely flow to you through your contract, your System Security Plan, and your authorization to operate. When an agency's patching policy changes, the service-level expectations it imposes on its vendors change with it.

CISA made the cross-over explicit, with acting director Nick Andersen stating that while the directive is a mandate for federal agencies, CISA "strongly encourages all partners to adopt similar actions in their vulnerability management policy." For contractors weighing where to spend finite remediation hours, the risk-based model is also simply good practice — and it aligns with the patch-and-vulnerability expectations already embedded in NIST SP 800-171 and the broader federal framework landscape.

What to Do Now

Treat BOD 26-04 as a signal even if no contract has changed yet. Map your patch-management policy against the four risk characteristics and confirm you can hit a three-day clock for edge-facing, actively exploited, fully automatable vulnerabilities. Build a documented process for triaging compromise before patching high-risk systems. If you support a federal customer, ask whether their updated policy will reset the remediation timelines or reporting cadence in your statement of work. And revisit your asset inventory: the directive's emphasis on tagging every externally reachable asset is a standard your customers may soon expect you to meet. Our build-a-program guide and checklists are a useful place to start.

Key Takeaways

  • BOD 26-04 (June 11, 2026) replaces BOD 19-02 and BOD 22-01 with a single risk-based model: patch the highest-risk, actively exploited, edge-facing vulnerabilities within three days and triage the rest by risk.
  • It adds a new step — assess whether a system was already compromised before patching — and is driven by AI-accelerated exploitation timelines.
  • The directive binds federal civilian agencies, but contractors who run or support federal systems should expect the new timelines and reporting cadence to flow into their contracts; CISA urges all partners to adopt it.

Not sure which federal cyber obligations actually attach to your contracts? Run our Find My Requirements tool, or review the federal frameworks page.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesFedRAMP's 2026 Consolidated Rules Are Coming This Month: What Cloud Contractors Should Do NowFedRAMP will publish its 2026 Consolidated Rules (CR26) by the end of June: one stable rulebook through 2028, plus a shift from change requests to change notifications for cloud providers.June 9, 2026 · 6 min readRule UpdatesTrump's AI Executive Order: What the Frontier-Model Review and Coming CISA Directives Mean for ContractorsA June 2 executive order sets up a voluntary pre-release security review of the most capable AI models and puts CISA on a 30-day clock to issue new cyber directives. Most of the binding obligations will reach contractors indirectly — through agencies, clauses, and the supply chain.June 8, 2026 · 6 min readRule UpdatesCIRCIA's Reporting Clocks Are Coming: The Third Cyber-Reporting Clock Contractors Can't IgnoreCISA's long-delayed cyber-incident reporting rule is back in finalization. For government contractors, it adds a third reporting clock on top of the ones you already run.June 7, 2026 · 6 min read