Client Portal
| Become a Client
Home All Blogs Prep for CISA’s New Patch Requirements and Timelines

Prep for CISA’s New Patch Requirements and Timelines

June 26, 2026
CISA’s binding operational directive (BOD) 26-04 presents challenges to Federal Civilian Executive Branch (FCEB) agencies that must comply with its aggressive timelines for vulnerability remediation, requirements for post-patch forensic analysis and more. This report outlines the new requirements, clarifies the impact and offers recommendations for ensuring compliance.
jake-williams

The Takeaway

CISA’s binding operational directive (BOD) 26-04 presents challenges to Federal Civilian Executive Branch (FCEB) agencies that must comply with its aggressive timelines for vulnerability remediation, requirements for post-patch forensic analysis and more. This report outlines the new requirements, clarifies the impact and offers recommendations for ensuring compliance.

The Challenge

The security team for an FCEB agency wants to ensure it understands CISA’s new directive on patching/remediation and how best to comply. Specifically, the team asks:

  • What are the specific patching requirements and how do they differ from current standards?
  • What are the new forensic analysis requirements and what should we do to comply?
  • What are the best ways to determine whether a vulnerability is publicly exposed?

FCEB and Some Federal Contractor Systems Are In Scope

BOD 26-04 applies to assets defined as a "federal information system" as defined in Circular A-130. This includes any system operated by an FCEB agency or by another entity on behalf of an FCEB agency that collects, processes, stores, transmits, disseminates or otherwise maintains agency information. It does not apply directly to all devices used by federal contractors for back-office functions, but will apply to contractor-owned systems used to process federal data.

Systems in scope also include federal information systems hosted in third-party environments, and it puts the onus for ensuring the remediation timelines for those assets on the FCEB agencies. Cloud-provided offerings are also explicitly in scope, regardless of whether they are FedRAMP certified. Again, the responsibility for ensuring compliance with the BOD is squarely on each agency. This seems unusually onerous and seemingly undercuts much of the reason for FedRAMP certification in the first place.

Aggressive Remediation Timelines

The remediation timelines mandated by BOD 26-04 are tightly aligned with the Stakeholder-Specific Vulnerability Categorization (SSVC) from Carnegie Mellon University. They are unusually aggressive and shorter than the timelines used by most mature enterprise organizations. In addition, the days for remediation are calendar days; they do not take weekends or holidays into account in the timeline

Forensic Triage Requirement

While the BOD clearly lists a forensic triage requirement, it is vague about what specifically constitutes "forensic triage." Given past precedent, IANS believes this will likely consist of indicator-of-compromise (IoC) sweeps in logs and other telemetry.

Forensic triage is only required in situations where the vulnerability is being actively exploited (i.e., it is in the KEV). The BOD does link to NIST SP 800-86, indicating it likely will form some basis for the forensics requirement.

Required Actions and Timelines

Below is a list of actions and timelines recommended to ensure compliance with BOD 26-04. Please note: This list is not the full list of required actions. Those who believe they may be subject to BOD 26-04 should consult the BOD for the full list.

Required Actions and Timelines
Immediately
  • Establish processes for tracking vulnerabilities in the KEV (if you don't already have them) and set internal tracking for requirements in the directive.
  • Automate reporting of vulnerability remediation status for vulnerabilities in the KEV to the Continuous Diagnostics and Mitigation (CDM) Program Dashboard. This dashboard lets CISA see the security status of federal agency information systems. However, its utility is reliant on FCEB agencies to update it and we all know how manual updates go. Additionally, many FCEB agencies have blocklisted the IP addresses CISA uses for external scanning, limiting their visibility. CISA requires these IP addresses to be immediately unblocked.
In 60 Days
  • Update vulnerability management processes to support ongoing vulnerability remediation within the timelines set by CISA in the BOD.
In 180 Days
  • Implement a process to continuously identify and tag any asset that is publicly reachable. Agencies that do not automatically report into the CDM must provide reachability information to CISA every seven days in a machine-readable format.

 

The Time To Start Is Now

The new directive includes aggressive timelines and new processes that impact all FCEB agencies and any of their contractors that process federal data. To ensure you are prepared to comply:

  • Federal agencies and contractors with known federal information systems should:
    • Start by identifying public-facing assets using the criteria outlined in this document.
    • Ensure this data is stored in asset databases and is accessible through vulnerability management platforms for ease of reporting compliance vs. non-compliance.
    • Identify how you'll perform and attest to the completion of post-remediation forensic triage requirements. Reporting on the vulnerability remediation is simple by comparison. While we anticipate mostly IoC sweeps, organizations should prepare for situations where more in-depth forensic analysis is required than simple "follow these 10 steps" guidance from CISA. It may be wise to have your forensics team take this relatively inexpensive training to level up their endpoint forensics skills. (Full disclosure: I am a contributing author to that material and have taught it on many occasions.)
  • Federal contractors with no known federal information systems should:
    • Inventory systems to ensure they are not processing federal government information that would classify them as a federal information system. This BOD indicates CISA is taking vulnerability remediation more seriously than ever before. Even if no federal information systems are discovered, federal contractors should begin tagging assets publicly accessible using the same formats as prescribed by CISA. Federal contractors will likely be held to higher standards for vulnerability management in the near future, even for non-federal information systems.
  • Non-covered entities (that are neither a federal agency nor a contractor) should:
    • Understand no action is required but be ready. Realize that as other organizations consider this a "low water mark," more frameworks will align with these aggressive remediation timelines.
    • Consider how you'll document and attest to the forensic triage requirement. It's easy to foresee that elements of this BOD will be wrapped into commercial cyber insurance policies. Consider upskilling your team, particularly on endpoint forensics examinations, as these are likely to be the most challenging areas for most teams.

 

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.