CISA’s latest binding operational directive takes a risk-based approach to software vulnerabilities, driven by recent advancements in AI-powered cyber exploits.
Federal agencies are now required to adopt a more tailored approach to patching the highest risk cyber vulnerabilities in their networks, under a new directive that accounts for recent advancements in artificial intelligence-driven cyber exploits.
In a binding operational directive released Wednesday, the Cybersecurity and Infrastructure Security Agency laid out how agencies should prioritize high-risk vulnerabilities for more immediate action, while deferring lower-risk vulnerabilities.
The directive is largely driven by advancements in new AI models that could allow hackers to more quickly identify new software vulnerabilities and exploit existing vulnerabilities before they can be patched or mitigated.
CISA officials had previewed how the BOD would be one of the first outputs under an AI security executive order signed by President Donald Trump last week.
Join us June 10 and 11 for Federal News Network’s Cloud Exchange where agency and industry leaders will discuss a whole-of-government approach to cloud modernization. Register today!
Chris Butera, acting executive assistant director for cybersecurity at CISA, said the new approach should allow agencies to patch “smarter, not harder.”
“We really believe we should be able to free up some time to patch the most urgent vulnerabilities faster, while allowing for more regular patch cycles for some of the lower-risk vulnerabilities,” Butera said. “We are hopeful that this binding operational directive will not require additional work for the agencies, but rather allow them to better prioritize the patching.”
The framework will drive more aggressive patching cycles in the most critical cases.
CISA’s directive lays out four primary risk factors: Whether the vulnerable software is connected to the internet; whether it’s identified in CISA’s Known Exploited Vulnerabilities (KEV) catalog; whether it’s capable of being exploited by automated means; and whether it would give an adversary partial or total control of the technology after exploitation of the vulnerability.
For vulnerabilities that meet at least three of the new criteria, the patching deadline will be three days. Historically, federal patching deadlines have averaged between two and three weeks.
Butera said CISA analyzed vulnerabilities at one civilian agency, which he did not identify, and found that 1% of their vulnerabilities would require patching within three days, while more than 60% could be deferred to the next system update.
He also noted that agencies have 180 days to begin implementing the new processes.
Sign up for our daily newsletter so you never miss a beat on all things federal
“We do believe that agencies should be able to meet the three-day deadline,” Butera said. “That is why we didn’t choose, for example, a 24-hour deadline, because we think three days as a deadline is both fast and the agencies will be able to meet it.”
In a LinkedIn post, Tod Beardsley, CISA’s former KEV section chief, noted the BOD creates clarity around when a vulnerability is severe enough to warrant an accelerated patching deadline.
“High severity or low severity, it was always a little mysterious when a KEV had an unusual remediation deadline for federal agencies, like one day or seven days,” he wrote. “Now we know: the deadline shall hinge on if the target is publicly accessible, as well as the attacker value of the bug at hand.”
But Beardsley added the more aggressive patching deadlines may be difficult for many federal agencies, even if it’s needed in the agency of autonomous AI agents.
“I remain dubious that a three-day deadline spread across more than a hundred agencies is an achievable patch cadence today, but we’ll all find out together,” Beardsley wrote.
Meanwhile, while CISA’s directive is only a requirement for federal agencies, officials hope it will help new vulnerability management practices more broadly.
“While this directive is a mandate for federal agencies, CISA strongly encourages all partners, including critical infrastructure owners and operators, and state, local, tribal, and territorial governments, to adopt similar actions in their vulnerability management programs,” Butera said.
Also on Wednesday, Sen. Mark Warner (D-Va.) introduced a bill requiring CISA to lead updates to the 16 sector risk management plans, in conjunction with other agencies that oversee critical infrastructure. The updates would be due within nine months of enactment. It would also require those plans to be updated every two years going forward.
News of the legislation was first reported by NextGov.
Read more: Cybersecurity
In a statement, Warner’s office highlighted how some sector plans haven’t been updated in a decade.
“As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment,” Warner said. “It’s critical that government works closely with industry, regulators, and cybersecurity experts to develop and regularly update the plans we need to protect our critical infrastructure from increasingly sophisticated malicious actors, including those enabled by AI.”
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED
 Stocks to Buy Now Down Around 25% From Their All-Time Highs – Yahoo Finance){kind=link}
