Synced 16 Jun 2026 15:24 UTC Account
← Home
CISA BOD 26-04 · risk-based patching · FCEB agencies & their vendors

Risk-based vulnerability prioritisation, operationalised

BOD 26-04 (10 Jun 2026) replaces BOD 22-01: instead of one deadline for every vulnerability, agencies must tier by risk — asset exposure, evidence of exploitation, adversary automation and technical impact — patching the most dangerous within ~3 days. IsItPatched ranks your software the same way, and hands you the remediation record.

Open your patch queue → Scan your SBOM Export BOD 26-04 pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for everyone the directive reaches

FCEB agencies

Bound by BOD 26-04. Operationalise the risk-based model for the software-component slice — known-exploited-first, with the evidence to show your process.

Federal contractors & vendors

Agencies must check their contracts. Show that the software you operate or supply is tracked, risk-ranked and patched on a defensible, exploitation-led schedule.

Everyone else

BOD 26-04 is fast becoming the reference model for risk-based patching. Adopt the same prioritisation without waiting to be told.

BOD 26-04 risk factors → how IsItPatched ranks

Evidence of exploitation

Every finding is flagged if it’s in CISA KEV (actively exploited) and scored by EPSS exploitation probability — the directive’s fastest-tier trigger.

See actively-exploited CVEs →

Asset exposure & impact

You set each product’s exposure and business importance; we combine that with severity — an SSVC-inspired model that mirrors BOD 26-04’s risk dimensions.

How the ranking works →

The 3-day tier

Actively-exploited, high-impact items float to the top of a fix-these-first queue — the candidates for the directive’s tightest (~3-day) remediation window.

Open your queue →

Inventory & end-of-life

Know the affected software and versions from an SBOM, the minimum safe version, and which components are end-of-life (no fixes coming).

End-of-life calendar →

Export your remediation record — today, free

  • A risk-ranked, known-exploited-first patch queue — your prioritisation record, the way BOD 26-04 asks for it
  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run and the recommended action
  • A CycloneDX VEX document recording exploitability and remediation per component

Sign in (free, no password) to sync your stack and generate these from your dashboard.

Build your evidence →

Straight with you: BOD 26-04 is binding on FCEB agencies and involves an agency’s own asset inventory, authorised scanners, forensic-triage capability and reporting to CISA — most of which a vulnerability tool does not touch. IsItPatched is an informational tool (NVD · CISA KEV · EPSS · OSV · endoflife.date) that helps operationalise the software-vulnerability prioritisation the directive is built around. It is not CISA, not an authorised scanner, not an attestation of compliance, and not legal advice. Disclaimer.

CISA BOD 26-04 — frequently asked

What is CISA BOD 26-04?

Binding Operational Directive 26-04, "Prioritizing Security Updates Based on Risk," was issued by CISA on 10 June 2026. It replaces BOD 22-01 (the Known Exploited Vulnerabilities directive) and BOD 19-02, and tells US federal civilian (FCEB) agencies to stop treating every vulnerability with the same deadline. Instead it uses a risk-based, tiered model — combining asset exposure, evidence of exploitation, adversary automation capability and technical impact — so the most dangerous vulnerabilities are remediated within about three days (with forensic triage), while lower-risk ones can wait for the next upgrade cycle.

Who does BOD 26-04 apply to?

It is binding on US Federal Civilian Executive Branch (FCEB) agencies. It does not directly bind federal contractors, but CISA has directed agencies to review contracts so that vendors operating or supporting agency systems can keep the agency compliant — so the practical reach extends to many software suppliers. Agencies must update policy immediately, processes within ~60 days (around August 2026), and meet the full remediation timelines within ~180 days (around December 2026).

How does IsItPatched help with BOD 26-04?

BOD 26-04 is risk-based prioritisation — which is exactly what IsItPatched does. Scan an SBOM or monitor your stack, and every finding is ranked by active exploitation (CISA KEV), exploitation probability (EPSS) and severity, then combined with the exposure and business-importance context you set — an SSVC-inspired model that mirrors the directive’s risk factors. You get a known-exploited-first patch queue, the minimum safe version, end-of-life flags, and an exportable, risk-ranked remediation record.

Does IsItPatched make an agency BOD 26-04 compliant?

No. BOD 26-04 compliance involves an agency’s own asset inventory, vulnerability scanners, forensic-triage capability and reporting to CISA. IsItPatched is an informational tool (NVD · CISA KEV · EPSS · OSV · endoflife.date) that helps operationalise the software-vulnerability prioritisation the directive is built around. It is not CISA, not an authorised scanner, not an attestation of compliance, and not legal advice.

Working to other mandates too? See all our compliance editions →