Article
The Three-Day Clock: CISA's BOD 26-04
For half a decade, federal vulnerability deadlines ran on one simple rule: rate the flaw’s severity, then start a fixed clock. A high CVSS score bought a short window, a lower score a longer one, and where the vulnerability actually lived — on a server facing the open internet, or buried three hops inside the network — barely entered into it. On 10 June 2026, CISA threw that rule out. Binding Operational Directive 26-04 revokes the two directives that defined the era — the 2019 rule for internet-accessible systems and the 2021 Known Exploited Vulnerabilities catalogue — drops CVSS severity as the trigger entirely, and replaces the fixed clock with one that can run as short as three calendar days. The reason it gives is the argument we have spent this year making: the danger is no longer whether a fix exists. It is how fast you can deploy it.
What replaced the rule
The new model scores a vulnerability on four questions, not one. Is the asset publicly exposed — reachable over a routable network from outside? Is the flaw known to be exploited — already in CISA’s KEV catalogue? Can an attacker automate every step of exploitation? And what is the technical impact — does a successful exploit hand over partial control, or total? Those four bits — exposure, exploitation, automation, impact — replace the single CVSS number, read from the SSVC “Vulnrichment” metadata that already rides inside the CVE feeds most tooling consumes.
The output is not a score but a deadline. A vulnerability that is publicly exposed, known-exploited, automatable, and grants full control lands in the top tier: remediate within three calendar days — and, where it grants total control, conduct forensic triage in that same window, because by the time you are patching you may already be cleaning up. Step down the risk and the clock lengthens: fourteen days for most known-exploited flaws, sixty days for lower-risk combinations, and “fix it at the next major upgrade” for everything that trips none of the four. The clock is live, not stamped once at disclosure — pull a system off the internet and its deadline relaxes; the moment a CVE lands on the KEV, the deadline tightens. Agencies have until roughly August to rework their processes and until December 2026 to be running fully against the new timelines.
The reason on the directive’s face
Read the rationale and the essay writes itself. CISA’s stated reason for tearing up a decade of practice is that threat actors’ use of AI is narrowing the window between a patch’s release and its exploitation — that discovery and weaponisation are accelerating, and the defender’s time to react is collapsing to match. The federal government has, in other words, written our 99% problem into a binding directive. We argued that the remediation gap — the distance between a fix that exists and a fix that runs — is operational, not technical, and that AI was filling the queue faster than the queue could drain. CISA has now staked its own networks on the same proposition, and put a stopwatch on it. The supporting evidence is not subtle: the 2026 Verizon Data Breach Investigations Report finds exploitation of vulnerabilities is now the single leading initial-access vector, at 31%. Attackers are arriving through unpatched software more than through anything else — and they are getting faster.
Three days is a pipeline, not a timeline
Here is what a three-day clock actually means for the people who do the work: you cannot meet it by hand. There is no version of “notice the patch, repackage the installer, sort the silent-install switches, book a change window, run a six-week regression, collect sign-off” that fits inside seventy-two hours. The deadline is short enough that the only way to hit it is to have already industrialised the path between a released fix and a deployed one. One analyst put it exactly right: the three-day requirement is “an automation mandate wearing a compliance costume.” The directive is framed as prioritisation — patch the dangerous things first — but its real instruction is structural. It tells you that the cadence we wrote about, already running weekly where the calendar still assumes quarterly, now has a regulator’s deadline bolted to its sharpest edge. Three days is not a timeline you staff. It is a pipeline you build: intake the fixed build automatically, repackage it automatically, run the comparison test — previous version against new, across install, update, runtime and uninstall — automatically, and publish on a clock set by exposure rather than by the change calendar.
It reaches you even if you are not a federal agency
BOD 26-04 binds federal civilian agencies and no one else. Read that as the floor, not the ceiling. Federal security guidance has a long habit of becoming everyone’s baseline through a side door — the auditor, the insurer, and the board. Assessors benchmark “reasonable” against what the government requires of itself, and CISA guidance turns up in audit workpapers long before it turns up in regulation. Cyber underwriters convert federal benchmarks into policy questions: the KEV timelines from the 2021 directive were in insurance questionnaires within a couple of renewal cycles, and there is no reason this clock will move slower. Directors ask the simplest version of all — what does the US government require for its own networks, and why don’t ours look like that? And because the directive explicitly tells agencies to review their contracts, its timelines will work their way into procurement language and land on every supplier and SaaS vendor that wants federal business.
Nor is the United States the only government now legislating deployment speed. The EU’s Cyber Resilience Act begins its mandatory reporting obligations on 11 September 2026, on a clock of its own: an early warning within 24 hours of a vulnerability being actively exploited, a fuller notification within 72 hours, and a final report within 14 days of a fix becoming available. Two regulators, two continents, one conviction — that the existence of a patch is no longer the point, and the speed of its deployment is.
The last mile has a stopwatch
We wrote in The 99% Problem that the remediation gap is operational, not technical. We meant it as an argument. On 10 June it became a deadline. A three-day clock is not something you satisfy with a change window and a regression spreadsheet — it is something you build a pipeline to meet, and the part of security it puts the stopwatch on is the last mile: package, test, publish. The honest reading of BOD 26-04 is not that the government wants you to patch faster. It is that the government has concluded you can no longer do this by hand and stay safe. Three days is not a deadline you meet by working harder. It is one you meet by no longer doing it manually.
Sources: CISA, “BOD 26-04: Prioritizing Security Updates Based on Risk” and its Implementation Guidance (10 June 2026), as reported and analysed by Tenable, Automox, Nucleus Security, GuidePoint and others — the “automation mandate wearing a compliance costume” framing is Automox’s. Initial-access figure from the Verizon 2026 Data Breach Investigations Report. EU reporting timeline from the European Commission, “Cyber Resilience Act — reporting of actively exploited vulnerabilities and severe incidents” (obligations from 11 September 2026). Prior posts referenced: “The 99% Problem” and “packaging’s new cadence”.