THREATOPS
THREAT OPSThreat News › CISA BOD 26-04: Frequently asked questions about the new risk-based patching directive

CISA BOD 26-04: Frequently asked questions about the new risk-based patching directive

lowtenablePublished 2026-06-11

<p>CISA issued BOD 26-04, which replaces BOD 22-01 with a four-variable vulnerability prioritization model requiring federal agencies to patch the most dangerous vulnerabilities in as few as three days.</p><div class="blog-see-also"><div class="col-sm-12"><h2><strong>Key takeaways</strong></h2><ol><li>BOD 26-04 replaces BOD 22-01 with a four-variable risk model that assigns graduated remediation t

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://www.tenable.com/blog/cisa-bod-26-04-FAQ-vulnerability-remediation-impact