CISA issued Binding Operational Directive 26-04 on June 10, 2026, fundamentally reshaping how federal agencies must prioritize and remediate vulnerabilities. Rather than treating all CVEs with equal urgency, BOD 26-04 establishes a risk-tiered patching framework built around four variables: whether the asset is publicly exposed, whether the vulnerability is in the Known Exploited Vulnerabilities (KEV) catalog, whether the exploit can be automated by an adversary, and the technical impact an attacker achieves after exploitation. The directive allows agencies to defer the lowest-risk vulnerabilities entirely to the next system upgrade, while demanding the fastest action—three days—on the highest-risk combinations. This post outlines what the directive requires and how Forward Enterprise helps organizations answer the questions that determine each risk tier. This directive supersedes both BOD 22-01 (Known Exploited Vulnerabilities) and BOD 19-02 (Vulnerability Remediation for Internet-Accessible Systems).
Who should read this post
- Security and Network Operations teams managing vulnerability remediation programs across federal or enterprise networks
- Network engineers responsible for understanding and validating which systems are publicly reachable
- Risk and compliance professionals working in public-sector environments subject to CISA directives or using CDM dashboards
What is covered in this post
- Summary of CISA Binding Operational Directive 26-04 and its significance
- The four risk variables and phased implementation requirements
- How Forward Networks helps organizations determine asset exposure and validate remediation
- An NQE query to identify high-priority KEV-impacted, internet-exposed devices
CISA's Directive: The Core Requirements
CISA released BOD 26-04: Prioritizing Security Updates Based on Risk in response to the challenge of patch fatigue and the growing use of AI by threat actors that narrows defenders’ reaction time between patch release and active exploitation. The directive evolves the KEV catalog framework established in BOD 22-01 by tying remediation deadlines to a structured combination of risk signals rather than applying a flat timeline to all CVEs.
Timelines are dynamic: they begin when CISA adds a vulnerability to the KEV catalog or when the agency identifies it on an asset in the CDM dashboard—whichever comes first. Risk tiers can shift as facts change. Removing a system from the internet, for example, moves it from a shorter to a longer remediation window; conversely, a vulnerability being added to the KEV catalog will shorten the required timeline.
The Four Risk Variables
| Variable | Definition (per BOD 26-04) |
|---|---|
| Asset Exposure | Is the vulnerable asset accessible to unauthenticated or untrusted entities via public networks such as the internet, regardless of physical or logical location? |
| KEV Status | Does the vulnerability (identified by CVE ID) have an entry in CISA’s Known Exploited Vulnerabilities catalog? |
| Exploit Automation | Is an adversary able to automate all the steps necessary to exploit the vulnerability? (Published by CISA via the Vulnrichment Program) |
| Technical Impact | Does exploitation give an adversary partial control (limited control or a low stochastic opportunity for total control) or total control (full control including credential exposure) over the asset? (Published by CISA via the Vulnrichment Program) |
Remediation Timelines (Table 1)
The combinations of the four variables above determine the required remediation window per CISA’s Table 1: Remediation Timelines. Key outcomes include:
- 3 days + forensic triage: Highest-risk combination — KEV, publicly exposed, automatable, total control. Agencies must remediate and conduct forensic triage of the asset to assess whether the system is already compromised.
- Shorter timelines: Applied to combinations with fewer high-risk factors (e.g., KEV but not publicly exposed, or publicly exposed but not automatable).
- Fix on system upgrade: The lowest-risk combinations may be deferred until the next scheduled major upgrade or rebuild, unless conditions change.
CISA publishes answers to KEV Status, Exploit Automation, and Technical Impact for every CVE ID through the Vulnrichment Program. Agencies determine Asset Exposure using CISA’s Internet Exposure Reduction Guidance and CDM scanning.
Phased Implementation Requirements
| Phase | Deadline | Key Requirements |
|---|---|---|
| Phase I | Immediate | Update vulnerability management policies; monitor KEV catalog; automate CDM reporting (or report manually bi-weekly); continue Cyber Hygiene scanning; attest publicly exposed IPs and domains quarterly |
| Phase II | Within 60 days | Update vulnerability management processes to support remediation based on the full CVE database and KEV catalog |
| Phase III | Within 180 days | Remediate each vulnerability per Table 1 timelines; continuously tag all internet-reachable assets (with organization, environment, exposure, and asset type); report vulnerability status to CISA every 7 days if not fully automated via CDM |
The Exposure Problem: Why Network Visibility Is the Foundation
BOD 26-04’s framework hinges on a question that is deceptively hard to answer at scale: Is this asset reachable from the internet?
In complex, multi-vendor networks with overlapping firewall rules, dynamic routing, cloud integrations, and legacy infrastructure, human intuition about reachability is unreliable. A device may appear internal but be reachable via an overlooked NAT rule or a misconfigured cloud gateway. The directive’s own definition is broad: an asset is publicly exposed if it is accessible to unauthenticated or untrusted entities via public networks, regardless of its physical or logical location. If any scanning method—CISA Cyber Hygiene, CDM, or third-party tooling—finds exposure, the value must be set to Yes.
Getting this wrong in either direction carries real cost:
- False negative (assuming protected when exposed): You apply the wrong—longer—timeline to a vulnerability that actually demands 3-day remediation plus forensic triage.
- False positive (assuming exposed when protected): You consume scarce remediation capacity on lower-priority items, defeating the directive’s intent.
How Forward Enterprise Helps
Determining Asset Exposure with Certainty
Forward Enterprise’s network digital twin models the actual state of your entire network—routing tables, ACLs, firewall rules, NAT, and cloud fabric—and answers reachability questions with mathematical precision. For any vulnerable device identified in your vulnerability management tooling, Forward can determine:
- Whether any path exists from the internet to that device
- Which specific ports and protocols are reachable
- Whether that reachability is intended or the result of misconfiguration
This transforms the BOD 26-04 exposure determination from an estimate into a verifiable, auditable fact—providing the defensible evidence needed for CDM reporting and CISA attestation.
Continuously Monitoring Exposure as the Network Changes
Because BOD 26-04 timelines are dynamic—resetting as facts change—continuous monitoring is essential. A firewall rule update, a new cloud interconnect, or a routing change can silently alter which assets are internet-exposed, shifting a deferred vulnerability into an active 3-day remediation window overnight.
Forward’s continuous collection and digital twin snapshots allow teams to:
- Detect when a previously non-exposed asset becomes reachable from the internet
- Trigger alerts when exposure state changes for assets with known CVEs
- Maintain an audit trail of when exposure changed and what caused it—supporting CISA’s quarterly IP/domain attestation requirement
Identifying High-Priority Devices with NQE
Forward Enterprise’s NQE (Network Query Engine) enables policy-as-code queries that combine CVE findings from your vulnerability scanner with network-level exposure data. The query below identifies devices that are both internet-exposed and have KEV vulnerabilities, the starting point for BOD 26-04’s shortest remediation windows.
// @intent: Produce a risk-based vulnerability remediation worklist aligned to CISA BOD 26-04 for an on-prem / air-gapped enclave, ranking every confirmed-vulnerable CVE finding by CISA KEV status and by real modeled exposure — defined as a direct topological link to the network's INTERNET synthetic device, not an IP-range or zone-name guess.
// @description: BOD 26-04 ("Prioritizing Security Updates Based on Risk") prioritizes patching using
// KEV status, asset exposure, post-exploitation technical impact, and exploit automation.
// @output:
// BOD 26-04 Priority: Risk band (P1 Immediate, P2 Urgent, P3 Elevated, P4 Standard) per the KEV + exposure logic.
// Device: The affected device name.
// Owner Tags: Device tags (e.g. directorate / organization) used to route the fix to the responsible team.
// Vendor: The device vendor — informs the applicable patch / advisory.
// OS: The device operating system.
// CVE ID: The CVE the device is confirmed vulnerable to.
// KEV Listed: True if this CVE is on CISA's Known Exploited Vulnerabilities catalog.
// Internet-Facing: True if the device links directly to a synthetic INTERNET device (perimeter ring).
// CVSS Base Score: Highest CVSS base score across vendor advisories for this CVE (impact proxy); blank if unscored.
// Vendor Severity: Severity reported by the device's own vendor for this CVE, when available.
// CWE Weaknesses: Common Weakness Enumerations associated with the CVE (impact characterization).
// Finding Basis: Whether vulnerability was determined by PLATFORM (model/OS) or CONFIG (feature state).
// Internet-Facing Interfaces: The local interface(s) linking to the INTERNET node (exposure evidence).
// KEV Catalog URL: Link to this CVE's entry in CISA's KEV catalog, when listed.
// Names of the synthetic INTERNET device(s) in this model — the customer's modeled boundary.
// (Built once; if you want to lock the device-parallel plan, replace with a literal set of names.)
internetDeviceNames =
(foreach d in network.devices
where d.platform.deviceType == DeviceType.INTERNET
select d.name);
@primaryKey(Device, "CVE ID")
foreach device in network.devices
let vendor = device.platform.vendor
// --- Asset Exposure (BOD 26-04): does any interface link directly to the INTERNET node? ---
let internetFacingIfaces =
(foreach iface in device.interfaces
foreach link in iface.links
where link.deviceName in internetDeviceNames
select iface.name)
let isExposed = length(internetFacingIfaces) > 0
// --- Confirmed-vulnerable findings, joined to the CVE database (inline == gets the _lookup index) ---
foreach finding in device.cveFindings
where finding.isVulnerable
let cve = the(foreach c in network.cveDatabase.cves
where c.cveId == finding.cveId
select c)
where isPresent(cve)
// --- KEV Status (BOD 26-04) ---
let isKev = isPresent(cve.cisaKevEntry)
// --- Impact proxies (best-effort; never drop a row if severity is missing) ---
let maxBaseScore = max(foreach vi in cve.vendorInfos
where isPresent(vi.baseScore)
select vi.baseScore)
let deviceVendorSeverity = the(foreach vi in cve.vendorInfos
where vi.vendor == vendor
select vi.severity)
let knownExploitReported = length(foreach vi in cve.vendorInfos
where vi.hasKnownExploit == true
select vi) > 0
let isHighImpact = isPresent(maxBaseScore) && maxBaseScore >= 7.0
// --- BOD 26-04 priority band: KEV + exposure drive the remediation clock ---
let priority =
if isKev && isExposed then "P1 - Immediate (KEV + Internet-Facing)"
else if isKev then "P2 - Urgent (KEV, Internal Only)"
else if isExposed && isHighImpact then "P3 - Elevated (Internet-Facing, High Impact)"
else "P4 - Standard (Deferrable)"
select {
"BOD 26-04 Priority": priority,
Device: device.name,
"Owner Tags": device.tagNames,
Vendor: vendor,
OS: device.platform.os,
"CVE ID": finding.cveId,
"KEV Listed": isKev,
"Internet-Facing": isExposed,
"CVSS Base Score": maxBaseScore,
"Vendor Severity": deviceVendorSeverity,
"CWE Weaknesses": cve.weaknesses,
"Finding Basis": finding.basis,
"Internet-Facing Interfaces": internetFacingIfaces,
"KEV Catalog URL": cve.cisaKevEntry?.url
}
order by "BOD 26-04 Priority" asc, "CVSS Base Score" desc
Verifying Remediation and Supporting Asset Tagging
After patching, teams must confirm that vulnerable software versions are no longer present and that no new exposure was inadvertently introduced. Forward’s snapshot comparison lets engineers diff network state before and after a patching cycle, confirming both the fix and the absence of unintended side effects.
Phase III of BOD 26-04 also requires agencies to continuously tag all internet-reachable assets with organization, environment (prod/dev), exposure (public/internal), and asset type. Forward’s device inventory and topology data provides the foundation for building and maintaining this tagging schema across the enterprise.
What You Should Do Right Now
- Review and update your vulnerability management policies to align with BOD 26-04’s four-variable risk framework (required immediately under Phase I).
- Map your internet-exposed assets — Use Forward Enterprise to generate a definitive, auditable list of all devices reachable from external networks.
- Cross-reference with your KEV-impacted devices — Any device that is internet-exposed AND has KEV findings is a priority candidate for the shortest remediation window.
- Pull Automatable and Technical Impact data from Vulnrichment — These are the remaining two variables needed to assign the precise tier from Table 1.
- Set up continuous exposure monitoring — Alerts on exposure state changes ensure your risk tier assignments stay accurate as the network evolves.
- Prepare for Phase III asset tagging — Begin structuring asset metadata (organization, environment, exposure, asset type) ahead of the 180-day deadline.
Final Thoughts
BOD 26-04 is a meaningful evolution of federal vulnerability management—one that acknowledges engineering capacity is finite and must be directed where risk is highest. By consolidating and superseding both BOD 22-01 and BOD 19-02, it provides a single, coherent framework for vulnerability prioritization tied to real-world attacker behavior.
The directive’s effectiveness depends on organizations having accurate, real-time answers to the exposure question. Networks are not static: a vulnerability that qualifies for a long deferral today can become a 3-day emergency overnight if a configuration change opens a path to the internet. Continuous network visibility isn’t just helpful for BOD 26-04 compliance—it is the foundation the directive’s risk framework is built on.
