The US Cybersecurity and Infrastructure Security Agency (CISA) revoked BOD 22-01 (Binding Operational Directive 22-01) on 10 June and replaced it with the risk-tiered BOD 26-04 1. BOD 22-01 had been the order behind CISA's mandatory patch deadlines for US federal agencies since 2021, built on the agency's catalogue of KEV (Known Exploited Vulnerabilities), its list of flaws confirmed as actively exploited. Under the new directive, agencies no longer get one due date per flaw. They score each one across four dimensions, asset internet exposure, KEV catalogue status, exploit-automation feasibility, and post-exploitation impact, then assign a 3-day, 14-day, 60-day, or next-upgrade-cycle window 2. The KEV catalogue had passed 1,627 entries by 23 June, roughly two new flaws a day to triage under the new rules 3.
The shift answers a problem this beat has tracked for four months: deadlines outrunning the patches meant to meet them. CISA set a PAN-OS deadline that landed four days before the patch shipped ; it listed an Exchange OWA flaw with a federal cut-off and no fix at all ; and on 9 June Arista Networks formally refused to patch a KEV-listed flaw, leaving agencies bound to remediate something the vendor would not repair . BOD 22-01 assumed a patch existed or was imminent, and had no answer for any of those cases.
The transition carries a live irony. Arista's 23 June deadline, now passed, was set under a directive CISA had already revoked on 10 June . Whether it still bound federal Arista customers after the revocation was never resolved in public, and CISA has named no enforcement action since it lapsed.
Treat the reframe with care. BOD 26-04 maps closely onto what CISA already did case by case, since Check Point drew a 3-day window and Arista 14 under the old order 4. The new directive still carries no explicit clause for a vendor that declines to patch outright, so the Arista problem is reclassified into the risk tiers rather than closed. Revoking the foundational directive is materially significant; the claim that it ends the patch-gap era is not.
