Which organizations are subject to CISA's new directive?

The new rules apply to U.S. federal civilian executive branch agencies (FCEB), including those managing critical infrastructure and connected to government networks.

What happens if an agency fails to patch a vulnerability within three days?

The directive requires agencies to disconnect vulnerable services from the network or isolate them until patches are applied, reducing exploitation risks.

Why did CISA introduce a public vulnerability registry?

The registry aims to improve transparency and coordination among agencies by providing timely threat intelligence and accelerating incident response efforts.

← All news

Security

CISA Mandates U.S. Agencies to Patch Critical Vulnerabilities Within 3 Days

June 11, 2026

Photo: BleepingComputer

Quick answer

CISA has mandated U.S. federal agencies to patch actively exploited critical vulnerabilities within three days, introducing strict compliance deadlines and a public vulnerability registry to improve cybersecurity…

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has approved Directive BOD 26-04, establishing strict deadlines for federal agencies to remediate critical vulnerabilities. According to the directive, all civilian executive branch agencies must close security gaps within three days of detection if actively exploited by threat actors.

The new rules cover all IT systems connected to federal networks. In cases where immediate patching is not feasible, agencies must disconnect vulnerable services or isolate them from the network to prevent attacks. CISA also mandated the creation of a public registry of known vulnerabilities to enhance inter-agency coordination and transparency.

The directive targets reducing cyberattack risks on critical infrastructure. While experts acknowledge that the tight deadlines will shrink attackers' windows of opportunity, they stress that agencies will need substantial resources to meet operational demands. CISA emphasizes that these measures align with modern cybersecurity challenges and are expected to set a benchmark for other nations.

Common questions

Which organizations are subject to CISA's new directive?: The new rules apply to U.S. federal civilian executive branch agencies (FCEB), including those managing critical infrastructure and connected to government networks.
What happens if an agency fails to patch a vulnerability within three days?: The directive requires agencies to disconnect vulnerable services from the network or isolate them until patches are applied, reducing exploitation risks.
Why did CISA introduce a public vulnerability registry?: The registry aims to improve transparency and coordination among agencies by providing timely threat intelligence and accelerating incident response efforts.

Dzen feed: /feed/dzen.xml · RSS: /feed.xml