{"id":8449,"date":"2026-06-10T20:23:35","date_gmt":"2026-06-10T20:23:35","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8449"},"modified":"2026-06-10T20:23:35","modified_gmt":"2026-06-10T20:23:35","slug":"cisa-tells-agencies-to-patch-smarter-not-harder-foreshadowing-broader-industry-practice","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8449","title":{"rendered":"CISA tells agencies to patch smarter, not harder \u2014 foreshadowing broader industry practice"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security teams\u2019 patching practices have come under intense pressure over the past year, as active exploitation is up, time-to-exploit windows are accelerating, and vulnerabilities have become attackers\u2019 top initial access vector<\/a> of choice.<\/p>\n

Last year, organizations fully remediated only 26% of the vulnerabilities that attackers were actively exploiting in the wild \u2014 down from 38% the year before, according to Verizon\u2019s 2026 Data Breach Investigations Report<\/a>. The median time to close those known dangerous gaps stretched to 43 days, while attackers have trimmed their side of the equation to days, sometimes hours.<\/p>\n

That\u2019s the backdrop against which the US Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 26-04<\/a>. The directive reflects growing recognition that patching based primarily on severity scores is no longer sufficient in an AI-driven environment where defenders face more vulnerabilities than they can realistically remediate at once.<\/p>\n

During a media briefing announcing the directive, Chris Butera, acting executive assistant director for cybersecurity at CISA, described the initiative as the culmination of more than a decade of lessons learned from federal vulnerability management programs, adversary activity, and the agency\u2019s growing understanding of AI\u2019s impact on cyber operations.<\/p>\n

\u201cPrioritizing IT and security operations attention on the most at-risk assets is particularly important now given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in these assets,\u201d Butera said. \u201cDefenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.\u201d<\/p>\n

In a companion blog post<\/a>, Butera and Jonathan Spring, CISA\u2019s senior technical advisor, argue that defenders are struggling to keep pace with a rapidly growing volume of vulnerabilities. AI is assisting researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered and forcing organizations to rethink how they prioritize remediation efforts<\/a>.<\/p>\n

Butera and Spring argue that defenders need greater clarity and speed when deciding what to patch. Their prescription: patch smarter, not harder.<\/p>\n

Beyond CVSS: Why severity scores are no longer enough<\/h2>\n

The directive builds on CISA\u2019s Known Exploited Vulnerabilities<\/a> program, which already identifies vulnerabilities actively being abused by attackers. But BOD 26-04 goes further by introducing a decision framework that considers four key factors: whether the vulnerable system is publicly exposed to the internet, whether the vulnerability is listed in the KEV catalog, whether an attacker can automate exploitation, and how much control an attacker would gain after exploitation.<\/p>\n

During the briefing, Butera said those four characteristics \u2014 public exposure, known exploitation, exploit automation, and post-exploitation impact \u2014 represent the conditions most closely associated with meaningful risk to federal systems. Vulnerabilities exhibiting three or more of those attributes must be patched within three days, while lower-risk vulnerabilities can be addressed on longer timelines or, in some cases, deferred until the next major system upgrade.<\/p>\n

The change reflects a broader shift in how security practitioners think about vulnerability management. For years, organizations have relied heavily on severity scores such as CVSS<\/a> to determine patching priorities. But those scores often fail to predict whether attackers will actually exploit a flaw.<\/p>\n

\u201cThe directive used to be based on just severity score, which we as an industry have come to find is not a good predictor of exploitation,\u201d Sasha Romanosky<\/a>, a senior cybersecurity policy researcher at RAND, tells CSO. \u201cThis BoD looks to be updated to account for both impact and exploitation, which I think is the right approach.\u201d<\/p>\n

Jerry Gamblin<\/a>, FIRST EPSS SIG member and founder of RogoLabs, is even more enthusiastic about the BoD. \u201cBOD 26-04 is a massive step in the right direction and validates what data-driven teams already know: Patching every CVSS High or Critical is mathematically impossible,\u201d he tells CSO. \u201cBy formalizing the use of the KEV catalog alongside advanced predictive data like EPSS, CISA is helping drive the industry toward practical, risk-based operational maturity.\u201d<\/p>\n

The operational burden of continuous risk assessment<\/h2>\n

Perhaps the most notable operational change is that remediation timelines become dynamic. A vulnerability\u2019s required response time can change as circumstances change, with internet-facing and actively exploited vulnerabilities receiving the highest priority.<\/p>\n

During the briefing, Butera said that this flexibility is one of the directive\u2019s greatest strengths. In an analysis of one federal civilian agency, CISA found that only about 1% of vulnerability instances required remediation within three days, while more than 60% could be deferred until the next system update.<\/p>\n

That finding highlights the agency\u2019s central argument: Vulnerability management has become a prioritization problem as much as a patching problem.<\/p>\n

\u201cWe really believe we should be able to free up some time to patch the most urgent vulnerabilities faster while allowing for more regular patch cycles for some of the lower-risk vulnerabilities,\u201d Butera said.<\/p>\n

Rather than forcing agencies to expend resources remediating thousands of vulnerabilities of varying importance, the framework concentrates attention on the small subset of flaws most likely to result in compromise.<\/p>\n

What the directive gets right \u2014 and what it leaves out<\/h2>\n

Romanosky notes, however, that the directive\u2019s treatment of impact is relatively narrow, focusing largely on whether exploitation grants an attacker partial or complete control of a system.<\/p>\n

\u201cWhat about integrity impacts that change data, or completely deny access to a system, such as a DDoS attack on DNS or wiping out a database?\u201d he says. \u201cThose impacts would also seem important.\u201d<\/p>\n

Still, he acknowledges that if policymakers must simplify risk decisions across the federal government, prioritizing vulnerabilities that provide adversaries control over systems is a reasonable place to start.<\/p>\n

The directive also places significant emphasis on internet-facing systems, which could raise questions about risks deeper inside enterprise networks. Butera and Spring address that point directly in their blog post, arguing that CISA does not typically observe threat actors compromising core networks through software vulnerabilities alone. Instead, attackers frequently rely on valid credentials, misconfigurations, and other \u201cliving off the land\u201d techniques.<\/p>\n

KEV is useful \u2014 but is it enough?<\/h2>\n

Cybersecurity professionals outside government should pay close attention because federal vulnerability management often foreshadows broader industry practice. The directive formalizes ideas that many security leaders have advocated for years: CVSS scores alone are insufficient; asset context matters; internet exposure matters; active exploitation matters most.<\/p>\n

Michael Roytman<\/a>, co-founder and CTO of Empirical Security, views the directive as a milestone in that evolution.<\/p>\n

\u201cThe federal government finally retired the \u2018patch everything on the list\u2019 mandate and replaced it with risk-based prioritization,\u201d Roytman tells CSO. \u201cEleven years ago, prioritizing by exploitation probability was a heresy we had to defend in conference hallways. Today, it\u2019s a binding federal directive.\u201d<\/p>\n

But he also argues that the framework\u2019s reliance on the KEV catalog highlights one of its limitations.<\/p>\n

\u201cKEV lists are binary and retroactive,\u201d Roytman says. \u201cWhen AI compresses the gap between patch and exploit to hours, waiting for the KEV entry means you find out you were wrong from the incident report.\u201d<\/p>\n

Romanosky raises a similar concern, describing KEV as a valuable but inherently backward-looking source of information. \u201cKEV is a great program for DHS and the public, but it is, at best, evidence of past exploitation,\u201d he says.<\/p>\n

Both experts suggested that predictive signals deserve a larger role in future vulnerability prioritization efforts. Romanosky points specifically to the Exploit Prediction Scoring System (EPSS)<\/a>, which estimates the likelihood that a vulnerability will be exploited in the future.<\/p>\n

\u201cThe concern, of course, is that vulnerabilities age, and so what may have been exploited last year or last month may no longer be used in active exploitation today,\u201d Romanosky says. \u201cSo EPSS would provide a better signal.\u201d<\/p>\n

Roytman takes the argument a step further. Drawing on research conducted alongside Verizon\u2019s DBIR team, he said that recency matters enormously when assessing exploitation risk.<\/p>\n

According to Roytman, 82% of KEV entries involve vulnerabilities whose exploitation was first reported more than a year ago. \u201cTwelve months of inactivity means the chance of exploitation falls from 99% on the first day down to 5%,\u201d he says.<\/p>\n

He also argues that KEV captures only a fraction of observed exploitation activity. \u201cThe KEV list covers only about 8% of observed exploitation,\u201d Roytman said. \u201cWe\u2019re tracking 17,800 CVEs compared to CISA\u2019s 1,600.\u201d<\/p>\n

How AI could force another rethink of vulnerability management<\/h2>\n

Butera and Spring argue that artificial intelligence is already accelerating vulnerability discovery and increasing pressure on defenders. BOD 26-04 is intended to help agencies automate and scale vulnerability management while focusing scarce resources on the risks that matter most.<\/p>\n

But the directive\u2019s four-factor framework was built on the vulnerability landscape as it exists today \u2014 and AI may render that landscape unrecognizable relatively quickly.<\/p>\n

Romanosky points to a structural gap in the current model: because the framework relies heavily on CVE identifiers, defenders may encounter newly discovered flaws that require urgent attention before they\u2019ve been formally cataloged. \u201cAs more vulnerabilities are discovered quicker with AI tools, we might expect a whole set of new vulnerabilities that haven\u2019t yet been assigned CVE IDs that need to be patched super quick,\u201d he says.<\/p>\n

That\u2019s not a hypothetical concern. The CVE assignment process<\/a> \u2014 run by MITRE and a network of numbering authorities \u2014 was built for a slower discovery cadence. It can take days or weeks for a vulnerability to receive an identifier, go through NVD analysis, and appear in tools that practitioners actually use. If AI compresses the window between discovery and exploitation to hours, that pipeline becomes a liability.<\/p>\n

Roytman sees the directive\u2019s four-factor model as a starting point rather than an endpoint \u2014 one calibrated to average federal risk rather than the specific conditions of any individual organization. \u201cThe risk in CISA\u2019s table is the average risk across the federal enterprise,\u201d he said. \u201cThe risk in an enterprise environment is a different number that depends on controls, telemetry, prevalence, and ultimately a local model specific to that enterprise.\u201d<\/p>\n

Romanosky agrees that another revision may be inevitable. \u201cI might expect another revised BOD \u2014 or some other directive \u2014 to account for what may be a new continuous stream of vulnerabilities,\u201d he says.<\/p>\n

In that sense, BOD 26-04 may be less a destination than a waypoint: the federal government\u2019s best current answer to a problem that AI is guaranteed to make harder.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security teams\u2019 patching practices have come under intense pressure over the past year, as active exploitation is up, time-to-exploit windows are accelerating, and vulnerabilities have become attackers\u2019 top initial access vector of choice. Last year, organizations fully remediated only 26% of the vulnerabilities that attackers were actively exploiting in the wild \u2014 down from 38% […]<\/p>\n","protected":false},"author":0,"featured_media":8450,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8449","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8449"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8449"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8449\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8450"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}