THE US Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new directive, Binding Operational Directive (BOD) 26-04, mandating federal agencies to fix critical vulnerabilities within three days while allowing them to defer less critical issues. This change reflects the increasing threat posed by AI and exploits. CISA's tiered model focuses on vulnerabilities based on several factors, including exposure and exploitability.
Agencies must revise their vulnerability management processes within 60 days to align with the new requirements and ensure timely remediation. The directive emphasizes a proactive approach to cybersecurity, pushing agencies to prioritize critical vulnerabilities effectively.