CISA on June 10 issued Binding Operational Directive 26-04, ordering federal civilian agencies to patch the most dangerous vulnerabilities within 72 hours and citing AI-accelerated exploitation as the explicit reason the old deadlines no longer hold. The directive supersedes BOD 19-02 and BOD 22-01, and it’s the first time the agency has hardwired AI threat logic into federal vulnerability law.

The new triage runs on a four-factor risk matrix: asset exposure, presence in the Known Exploited Vulnerabilities catalog, exploit automation, and post-exploitation technical impact. Agencies have 60 days, until August, to update their vulnerability management processes, and 180 days, until December, for full implementation. Acting Director Nick Andersen has framed BOD 26-04 as operationalizing part of the president’s AI executive order.

CISA’s pitch is that the 72-hour tier is narrow by design. Chris Butera, the acting executive assistant director for cybersecurity, told reporters the agency wants federal teams to “patch smarter, not harder,” and shared an initial analysis from one large civilian agency in which only 1% of vulnerability instances landed in the three-day bucket while more than 60% were deferrable.

Practitioners are less sure the cadence survives contact with reality. Tod Beardsley, CISA’s former KEV section chief, called a 72-hour deadline across 100-plus agencies “dubious.” SOCRadar’s Ensar Seker called it “aggressive but required,” warning that shops with shadow IT or incomplete asset inventories will simply miss the window.

The political scaffolding arrived the same day. Sen. Mark Warner (D-Va.) introduced a parallel bill requiring CISA to lead updates to all 16 sector risk management plans within nine months. The directive’s underlying admission is the structural news: defender clocks are now being set by attacker tooling, not the other way around.

Sources

Sources