THE Cybersecurity and Infrastructure Security Agency (CISA) has directed U.S. federal agencies to adopt a risk-based approach to managing vulnerabilities, prioritizing patches based on threats actively exploited. This new operational directive, BOD 26-04, eliminates the reliance on severity scores like CVSS, focusing instead on four key factors: asset exposure, KEV status, exploit automation, and technical impact.
Agencies are given 180 days to implement this directive, with an emphasis on assessing whether vulnerabilities have been exploited in their environments. Concerns have been raised regarding the execution and effectiveness of this approach, particularly due to budget cuts affecting CISA.