CISA replaces the KEV 14-day rule: BOD 26-04 introduces risk-tiered remediation with a 3-day class for the worst exposures

CISA issued Binding Operational Directive 26-04 ("Prioritizing Security Updates Based on Risk") on 10 June, superseding and revoking BOD 19-02 and BOD 22-01 — the directive that created the flat KEV remediation deadlines (CISA, 2026-06-10). US federal civilian agencies must now tier remediation by four criteria: internet exposure of the asset, KEV listing, exploit automatability, and total-versus-partial technical impact. Vulnerabilities meeting all four require remediation within three calendar days plus a forensic triage before patching to determine whether the system was already compromised; low-risk findings may defer to the next upgrade cycle. CISA's companion post cites AI-accelerated exploitation as a driver and notes that "only 26% of vulnerabilities on CISA's Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025," with median time-to-remediation rising to 43 days (CISA, 2026-06-10). The directive binds only US FCEB agencies — it carries no jurisdictional weight in Switzerland or the EU — but the four-criterion model is a transferable benchmark for patch-governance SLAs under NIS2 Art. 21 vulnerability-handling obligations.

Why it matters to us: if your patch SLA still treats every KEV entry identically, the four-criterion test (exposed + KEV + automatable + total control) is a defensible way to concentrate emergency-change effort; CISA's pilot data suggests only ~1 % of findings land in the 3-day class.