THE US Cybersecurity and Infrastructure Security Agency (CISA) has announced a new directive, BOD 26-04, which requires federal agencies to focus on patching high-risk security flaws, building on previous guidance established with BOD 22-01 and the Known Exploited Vulnerabilities (KEV) catalog.
This directive mandates that agencies review and update their vulnerability management policies, automate vulnerability remediation, and adhere to strict timelines for addressing security weaknesses based on their risk level. Higher-priority vulnerabilities must be resolved within three days, while lower-risk ones have timeframes of 14 or 60 days. CISA will support this effort by continuously updating the KEV catalog and providing necessary guidance.