
CISA
US federal cyber lead; runs the KEV catalogue with mandatory federal patch deadlines.
Last refreshed: 24 June 2026 · Appears in 1 active topic
How can CISA enforce its own KEV catalogue with 860 fewer staff?
Timeline for CISA
Added seven CVEs to the KEV catalogue over the fortnight
Cybersecurity: Threats and Defences: A quiet KEV fortnight, then a 2008 bugAdded six actively exploited CVEs to KEV across three updates this fortnight
Cybersecurity: Threats and Defences: BOD 26-04, a fortnight of triageUpdated the CVE-2026-33825 KEV entry to confirm ransomware exploitation for SYSTEM access
Cybersecurity: Threats and Defences: BlueHammer turns into a ransomware stepAdded CVE-2026-45659 to the KEV catalogue with a three-day FCEB deadline
Cybersecurity: Threats and Defences: SharePoint patch clock runs out todayFlagged the FortiBleed credential set as privately held
Cybersecurity: Threats and Defences: Lynx crew cashes in FortiBleed haulIs CISA being cut under Trump's 2027 budget?
How many vulnerabilities are in the CISA KEV catalogue?
What is CISA BOD 26-04 and how does it change KEV patch deadlines?
Background
The Cybersecurity and Infrastructure Security Agency (CISA) is the US federal lead for protecting critical infrastructure and federal civilian networks. Created by Congress in 2018, it runs the Known Exploited Vulnerabilities (KEV) catalogue, which issues mandatory patch deadlines for Federal Civilian Executive Branch agencies and voluntary urgency signals for private-sector organisations. The agency also leads the Joint Cyber Defence Collaborative, co-ordinates national counter-ransomware response, and provides election infrastructure security support to all fifty states. CISA operates within the Department of Homeland Security and works in formal partnership with the Five Eyes national CERTs, including the UK NCSC.
CISA's posture on patch enforcement underwent a structural shift on 10 June 2026 when the agency issued Binding Operational Directive 26-04, formally revoking BOD 22-01. The fixed-window KEV regime (14 days for non-critical, 2-7 days for critical) has been replaced by a four-dimension risk-tiered model assigning remediation windows of 3 days, 14 days, 60 days, or next upgrade cycle based on exploitability, exposure, criticality of the affected asset, and known threat actor behaviour. The first batch of KEV additions filed under the new tier structure landed on 23 June, when CISA assigned the three Ubiquiti CVSS 10.0 chain CVEs to the top 3-day tier, confirming the model applies from the directive's effective date.
The BOD 26-04 transition creates a period of ambiguity for in-flight deadlines set under the revoked order: at least one active window (Arista's 23 June obligation) was issued before 10 June, making its status under the new regime unclear. The KEV catalogue itself continues to grow; it stood at approximately 1,627 entries as of mid-June 2026, accruing at roughly two CVEs per day; this growth runs against the backdrop of a proposed $707m budget cut in the FY27 request that would eliminate around 860 CISA positions, reducing the agency's capacity to maintain the advisory quality on which the KEV signal depends. The simultaneous expansion of the catalogue and contraction of the agency's staffing base represents the central structural tension in US federal cyber posture heading into the second half of 2026.