Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
20MAY

CISA tears up its KEV deadline rules

4 min read
09:58UTC

CISA revoked BOD 22-01 on 10 June and replaced it with a risk-tiered model, four days before Arista's deadline under the old order fell due.

TechnologyDeveloping
Key takeaway

The federal patch-deadline era ended because exploitation outran it, not because anyone won the argument.

The US Cybersecurity and Infrastructure Security Agency (CISA) revoked BOD 22-01 (Binding Operational Directive 22-01) on 10 June and replaced it with the risk-tiered BOD 26-04 1. BOD 22-01 had been the order behind CISA's mandatory patch deadlines for US federal agencies since 2021, built on the agency's catalogue of KEV (Known Exploited Vulnerabilities), its list of flaws confirmed as actively exploited. Under the new directive, agencies no longer get one due date per flaw. They score each one across four dimensions, asset internet exposure, KEV catalogue status, exploit-automation feasibility, and post-exploitation impact, then assign a 3-day, 14-day, 60-day, or next-upgrade-cycle window 2. The KEV catalogue had passed 1,627 entries by 23 June, roughly two new flaws a day to triage under the new rules 3.

The shift answers a problem this beat has tracked for four months: deadlines outrunning the patches meant to meet them. CISA set a PAN-OS deadline that landed four days before the patch shipped ; it listed an Exchange OWA flaw with a federal cut-off and no fix at all ; and on 9 June Arista Networks formally refused to patch a KEV-listed flaw, leaving agencies bound to remediate something the vendor would not repair . BOD 22-01 assumed a patch existed or was imminent, and had no answer for any of those cases.

The transition carries a live irony. Arista's 23 June deadline, now passed, was set under a directive CISA had already revoked on 10 June . Whether it still bound federal Arista customers after the revocation was never resolved in public, and CISA has named no enforcement action since it lapsed.

Treat the reframe with care. BOD 26-04 maps closely onto what CISA already did case by case, since Check Point drew a 3-day window and Arista 14 under the old order 4. The new directive still carries no explicit clause for a vendor that declines to patch outright, so the Arista problem is reclassified into the risk tiers rather than closed. Revoking the foundational directive is materially significant; the claim that it ends the patch-gap era is not.

Deep Analysis

In plain English

CISA is the US government agency responsible for telling federal departments and agencies which software vulnerabilities they must fix, and how fast. Until 10 June 2026, the rule was simple: once a flaw went on its official list (called the Known Exploited Vulnerabilities catalogue), agencies had a fixed window, usually 14 days, to patch. The new rule, BOD 26-04, asks: how dangerous is this specific flaw, in this specific situation? A flaw that is being actively attacked on the internet, can be exploited automatically, and gives the attacker full control of a system gets three days. A less severe flaw with no evidence of active exploitation might get 60 days or simply the next planned upgrade. The idea is to focus urgent effort where risk is highest, rather than treating every flaw identically.

Deep Analysis
Root Causes

BOD 22-01 collapsed under three converging pressures. First, the fixed-deadline model assumed vendors would patch before federal deadlines, a premise that broke publicly when the PAN-OS CVE-2026-0300 deadline preceded the patch by four days , and again when CISA listed Exchange CVE-2026-42897 with no remediation path .

Second, Arista's confirmed refusal to patch CVE-2026-7473 exposed the absence of any enforcement mechanism against non-cooperative vendors: the directive bound federal agencies, not the vendors supplying them.

Third, the KEV catalogue grew 42 entries since late April to reach 1,627, generating a volume of deadlines that CISA could not monitor for compliance after the Trump FY27 budget proposed cutting the agency by $707 million and 860 positions. A smaller agency faced with more deadlines produces selective enforcement; risk-tiering is partly a staffing adaptation.

What could happen next?
  • Risk

    In-flight BOD 22-01 deadlines, including Arista's 23 June window, entered a period of transitional ambiguity on 10 June; federal agencies that were tracking these deadlines now lack a clear compliance posture until CISA publishes BOD 26-04 classification guidance.

    Immediate · Assessed
  • Consequence

    Cyber insurers and procurement auditors using KEV status as a mandatory-patch proxy must rebuild their assessment templates; the existing 14-day default is no longer universal.

    Short term · Reported
  • Precedent

    BOD 26-04 is the first US federal directive to formally codify risk-tiered vulnerability remediation; if it reduces patch cycle time for the highest-severity flaws, it will become the model for allied-nation NIS2 and NCSC guidance updates.

    Medium term · Suggested
First Reported In

Update #8 · CISA tears up the KEV deadline rulebook

CISA· 24 Jun 2026
Read original
Causes and effects
This Event
CISA tears up its KEV deadline rules
The benchmark every federal and enterprise patch programme calibrates against has changed from a single deadline per flaw to a four-dimension risk score.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.