• Platform
    Platform
    Nucleus Platform
    Scale and automate your vulnerability and exposure management program
    Vulnerability Intelligence Platform
    Access centralized and enriched vulnerability intelligence
    Nucleus Insights Intelligence Feed
    AI-powered, expert-validated threat and vulnerability intelligence
    Integrations
    Discover our ecosystem of 200+ connectors
    Capabilities
    Vulnerability Aggregation
    Unify and operationalize your vulnerability data in one platform
    Risk Prioritization
    Prioritize with asset context and threat intelligence
    Vulnerability Remediation
    Automate workflows to prioritize and mitigate critical exposures
    Vulnerability Intelligence
    Enrich vulnerability findings with real-world threat intelligence
    Asset Management
    Unify asset data to automate your vulnerability and exposure management
    Plan of Action and Milestones (POAM)
    Automate POA&M compliance at scale
    Compliance Frameworks
    Align with compliance framework controls and requirements.
    MCP Server
    Interact with your data using natural language and AI tools
  • Solutions
    Public Sector
    Federal Government
    Vulnerability and exposure management for government agencies
    State, Local, and Education (SLED)
    Centralize security and simplify compliance for state and local government
    Use Cases
    Exposure Management
    Scale and automate your exposure management program
    Risk-Based Vulnerability Management
    Address vulnerabilities with risk-based context and prioritization
    Application Security
    Shift left application security with production risk context
    Cloud Vulnerability and Exposure Management
    Conquer critical exposures across hybrid clouds
    Featured Report
    Gartner EAP MQ
    Nucleus Security Recognized as a Challenger in 2025 Gartner® Magic Quadrant™ Report

    We have been recognized for our Completeness of Vision and Ability to Execute.

    GET THE REPORT
  • Partners
    Partner Program
    Program Overview
    Learn more about our growing partner program
    MSSPs
    Explore opportunities for MSSP partnerships
    Marketplaces
    Find Nucleus on leading industry marketplaces
    Partner Resources
    Partner Directory
    Explore our ecosystem of partners
    Become a Partner
    Submit your request to join our partner program
    Deal Registration
    Easily register deals with Nucleus
    Partner Portal
    Log in to our dedicated Partner Portal
    Partner Case Study
    Orange Cyberdefense
    Case Study: Orange Cyberdefense

    Orange Cyberdefense leverages Nucleus to streamline vulnerability management, reduce costs, and drive impactful security insights for its customers.

    LEARN MORE
  • Resources
    Resources
    Resource Library
    Discover customer stories, reports, research, and more
    Blog
    Stay informed with the Nucleus Node blog
    Webinars
    Learn from industry experts and Nucleus leaders
    Events
    Meet with us virtually and in-person
    CISA KEV Enrichment Dashboard
    Quickly analyze vulnerabilities identified by CISA
    Featured Resources

    The Exploitability Intelligence Gap

    New CVE research by Nucleus Security gathered in an exclusive company white paper.

    LEARN MORE

    Gartner Exposure Assessment Platform Magic Quadrant

    Nucleus Security recognized as a Challenger by Gartner.

    LEARN MORE
    Featured Articles

    Understanding and Navigating the Requirements of CISA BOD 26-04

    READ MORE

    Automating Vulnerability Triage to Overcome the Human Decision Capacity Limit

    READ MORE
    Featured Webinars

    Claude Mythos: AI-Driven Vulnerability Discovery Webinar

    OPEN WEBINAR

    The Exploitability Intelligence Gap Webinar

    OPEN WEBINAR
    Featured Events

    Cybr.Sec.Con

    LEARN MORE

    SecTor

    LEARN MORE
    Featured Content

    Understanding and Navigating the Requirements of CISA BOD 26-04

    LEARN MORE

    Automating Vulnerability Triage to Overcome the Human Decision Capacity Limit

    LEARN MORE
  • Company
    About
    About Nucleus
    Learn more about who we are as a company
    Careers
    Explore our current openings and join the team
    News
    Read the latest news and articles
    Contact
    Contact Us
    Reach out to the Nucleus team
    Watch a Demo on Demand
    Watch our on-demand video demo
    Schedule Custom Demo
    Request a customized demo suited to your business' needs
    Pricing
    Get a quote based on your unique requirements
    Featured Content
    Omdia Tech Validation Report
    Omdia Technical Validation

    Omdia’s Technical Validation, commissioned by Nucleus, details how Nucleus helps organizations build successful vulnerability and exposure management programs.

    LEARN MORE
Watch A Demo

Understanding and Navigating the Requirements of CISA BOD 26-04

Tally Netzer
June 18, 2026
Best Practices
BOD 26-04 Blog

CISA Binding Operational Directive 26-04: Prioritizing Security Updates Based on Risk requires Federal Civilian Executive Branch (FCEB) agencies to prioritize security updates based on operational risk, not just severity. It builds on earlier Cybersecurity and Infrastructure Security Agency (CISA) directives by combining exposure, exploitation, impact, and prioritization logic into a more actionable remediation model. Previous CISA directives specified KEV-driven remediation requirements and stronger asset visibility. 

Today, the time defenders have to react between vulnerability discovery and exploit has been compressed as threat actors leverage AI. In response, CISA BOD 26-04Prioritizing Security Updates Based on Risk, gives FCEB agencies a more structured way to decide which vulnerabilities require the fastest action. The directive shifts the focus from treating every patch as equally urgent to prioritizing vulnerabilities based on risk signals that are more closely tied to exploitation potential and agency exposure. 

For readers who want broader policy context first, review CISA’s previous directives: BOD 22-01 on KEV-driven remediation, and BOD 23-01 on asset visibility and vulnerability detection. 

CISA BOD Progression

Who Does BOD 26-04 Apply To? 

BOD 26-04 applies to Federal Civilian Executive Branch agencies under CISA’s directive authority. For official scope references, see CISA’s Cybersecurity Directives overview and the Federal Civilian Executive Branch agencies list

Although the directive is binding on FCEB agencies, it is also useful guidance for state, local, education, critical infrastructure, and private-sector organizations that want a more defensible risk-based remediation model. 

“The United States faces persistent, increasingly sophisticated malicious cyber campaigns that threaten the public sector, private sector, and ultimately the American people’s security and privacy.” CISA BOD 26-04

What Does CISA BOD 26-04 Require? 

We lay out the requirements of CISA BOD 26-04 elsewhere, but to reiterate the requirements here, it directs agencies to prioritize remediation using four decision criteria: 

  1. Is the affected asset publicly exposed?
  2. Can exploitation be fully automated? 
  3. Would exploitation allow the attacker to take full control of the affected system? 
  4. Is there evidence of active exploitation? 

The highest-priority vulnerabilities that meet all four conditions must be remediated within three days. The directive also requires forensic triage to help determine whether affected systems may already have been compromised. 

The directive establishes implementation milestones, including policy and process updates, before agencies begin operating against the new remediation timelines. 

What Is the 3-Day Deadline in BOD 26-04? 

The three-day deadline applies to the vulnerabilities CISA considers most urgent under the directive’s risk model. In practical terms, that means vulnerabilities where public exposure, exploitability, automation potential, and impact combine to create the highest operational risk. 

This is one of the biggest shifts in BOD 26-04. CISA is not simply asking agencies to patch faster across the board. It is telling them to move fastest on the vulnerabilities most likely to become breaches

CISA BOD 26-04 3-day Deadlines

How Does BOD 26-04 Fit with Earlier CISA BODs? 

BOD 26-04 is easier to understand in the context of CISA’s earlier directives. BOD 22-01 said agencies must move quickly on vulnerabilities known to be exploited. BOD 23-01 said agencies need better visibility into what they own and what is exposed. BOD 26-04 brings those ideas together into a more operational prioritization model. 

  • BOD 22-01 established the requirement for FCEB agencies to remediate vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) Catalog within prescribed timeframes.
  • BOD 23-01 focused on improving asset visibility and vulnerability detection across federal networks.
  • BOD 26-04 builds on both by telling agencies how to prioritize broader security updates when multiple remediation demands compete for limited time and resources. 

Why Speed and Automation Matter More in BOD 26-04 

AI is changing attacker economics. It can accelerate exploit research, reduce the effort needed to operationalize attacks, and increase the volume of vulnerabilities that can be turned into real-world exploitation. CISA is responding to those changing market dynamics by placing more weight on signals like public exposure and automatable exploitation, which are more closely tied to operational risk than severity alone. 

CISA BOD 26-04 reflects a practical shift in the vulnerability landscape: agencies are dealing with more security updates, more exposed assets, and less time to make the right remediation decision. Manual triage does not scale when vulnerability volume keeps rising and the window between disclosure and exploitation keeps shrinking. 

For agencies, the real challenge is operationalizing risk-based remediation at scale. Prioritization decisions depend on vulnerability data, accurate asset context, threat intelligence, ownership, and mission relevance. As vulnerability volumes grow and remediation timelines tighten, organizations need automated workflows that can rapidly translate risk signals into action with speed, consistency, and measurable outcomes. 

How Teams Should Operationalize SSVC for BOD 26-04 

Stakeholder-Specific Vulnerability Categorization (SSVC) offers an established, known framework agencies can use to meet BOD 26-04’s requirements. 

SSVC Prioritization Tree

A practical way to operationalize SSVC is to treat it as a decision layer that sits on top of existing vulnerability, asset, and threat intelligence workflows. Teams should structure SSVC around four core inputs that align closely to BOD 26-04 decision-making: 

  1. Exploitation — Whether there is no known exploitation, a public proof of concept, or active exploitation
  2. Automatable — Whether exploitation can be reliably automated 
  3. Technical Impact — Whether exploitation leads to partial or total control of the affected system 
  4. Mission and Well-Being — The importance of the affected asset or system to agency operations and mission continuity 

Step 1: Normalize the Underlying Data 

SSVC only works when teams can consistently pull the right data into one workflow. That means vulnerability findings, asset metadata, exposure status, KEV status, exploit intelligence, and ownership all need to be connected and normalized before prioritization begins. 

For agencies responding to BOD 26-04, this includes making sure teams can identify whether an asset is public-facing, whether a vulnerability is actively exploited, and whether the affected system is mission-essential. 

Step 2: Map SSVC Inputs to Operational Values 

Teams can translate SSVC decision inputs into structured values that support consistent prioritization. A practical operating model uses these input sets: 

  • Exploitation: none, public PoC, active 
  • Automatable: no, yes 
  • Technical Impact: partial, total 
  • Mission and Well-Being: low, medium, high 

This creates a practical way to classify vulnerabilities using operationally meaningful criteria instead of severity alone. 

Step 3: Convert SSVC Outcomes into Actionable Priority Bands 

The goal is not to create another abstract score. The goal is to drive operational decisions by mapping into clear actions: 

  • Track 
  • Attend 
  • Act 

Step 4: Assign BOD-aligned SLA Timeline Automations 

SSVC prioritization outcomes are translated into CISA’s specific remediation timelines based on four inputs: 

  • Publicly exposed? 
  • In the KEV? 
  • Automatable by adversary? 
  • Technical impact? 

CISA BOD 26-04 Remediation Timeline Table

Publicly ExposedIn KEVAutomatableTechnical ImpactBOD 26-04 Remediation Timeline
YesYesYesTotal control3 days + forensic triage
YesYesYesPartial control3 days
YesYesNoTotal control3 days + forensic triage
YesYesNoPartial control14 days
YesYesYesTotal control3 days
YesYesYesPartial control14 days
YesYesNoTotal control14 days
YesYesNoPartial control60 days
NoYesYesTotal control3 days + forensic triage
NoYesYesPartial control14 days
NoYesNoTotal control14 days
NoYesNoPartial control14 days
NoNoYesTotal control60 days
NoNoYesPartial control60 days
NoNoNoTotal controlFix on system upgrade
NoNoNoPartial controlFix on system upgrade

How to Use the Table Operationally 

Teams should use the decision inputs to drive policy-backed workflow outcomes

A practical implementation looks like this: 

  • Map ExploitationAutomatableTechnical Impact, and Mission and Well-Being into a normalized decision model. 
  • Use public exposure and KEV presence as additional routing and escalation inputs aligned to the BOD timeline. 
  • Translate the output into internal workflow states such as ActAttend, and Track
  • Connect those states to due dates, escalation rules, ticket routing, and reporting. 

For example: 

  • Vulnerabilities that align to the most urgent BOD combinations, such as internet-facing + KEV + total control, should route into the fastest response path and include forensic triage requirements where applicable. 
  • Vulnerabilities that fall into the 14-day or 60-day tiers should still receive automated ownership, tracking, and deadline enforcement. 
  • Lower-priority vulnerabilities that map to fix on system upgrade should remain visible for lifecycle planning and auditability. 

These remediation timelines are also laid out on this graphic provided by CISA:

CISA BOD 26-04 Remediation Timelines

Step 5: Use Mission Context as a Policy Input 

One of the most important lessons in applying SSVC is that mission context needs to be explicit. In practice, this means mapping asset criticality, system function, or mission-essential designations into the SSVC decision process. 

For federal teams, this is what makes SSVC useful. It allows the same vulnerability to be treated differently depending on the operational role of the affected asset. 

Step 6: Keep Reporting and Explainability Intact 

SSVC must remain explainable. Teams should be able to show which inputs drove the decision, how that decision mapped to remediation urgency, and why a vulnerability was assigned a given timeline. 

That matters for BOD 26-04 because prioritization is not just a technical queue-management exercise. It is a governance and accountability requirement. 

For deeper background, see CISA’s SSVC overview, the CISA SSVC guide, and the SSVC calculator

What Organizations Need to Operationalize BOD 26-04 

For agencies and organizations building mature exposure management programs, BOD 26-04 reinforces the importance of: 

  • Centralized vulnerability and asset data 
  • Continuous enrichment with threat intelligence 
  • Risk-based prioritization workflows 
  • Clear remediation ownership 
  • Timely reporting and auditability 

Helpful Nucleus Resources

Frequently Asked Questions About CISA BOD 26-04 

What is CISA BOD 26-04 in simple terms?

CISA BOD 26-04 is a CISA directive that tells FCEB agencies to prioritize security updates based on risk signals such as exposure, exploitability, impact, and evidence of exploitation, rather than relying on severity alone.

Who must comply with BOD 26-04?

Federal Civilian Executive Branch (FCEB) agencies and FedRAMP Cloud Security Providers (CSPs) must comply with CISA BOD 26-04. Other organizations can still use the directive as a practical model for risk-based remediation.

How is BOD 26-04 different from BOD 22-01?

BOD 22-01 focuses on remediating vulnerabilities listed in the KEV Catalog within defined deadlines. BOD 26-04 is broader: it defines a prioritization model for security updates based on multiple risk criteria.

How is BOD 26-04 different from BOD 23-01?

BOD 23-01 focuses on asset visibility and vulnerability detection. BOD 26-04 focuses on deciding which security updates should move first once agencies have that visibility.

Does BOD 26-04 apply outside of the federal government?

No, BOD 26-04 is binding on FCEB agencies and FedRAMP CSPs onlyHowever, the directive is still useful guidance for organizations that want a more mature, risk-based remediation program.

Tally Netzer
Tally is Nucleus' Senior Director of Product Marketing. She's a creative storyteller with deep technical understanding and skilled at delivering complex concepts in a clear, people-friendly way.

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.

Schedule a Demo

© 2026 Nucleus Security. All rights reserved

What Claude Mythos Revealed About the Vulnerability Remediation Gap | Register for the Webinar →